30-day master password timeout + 2-minute TouchID: Less secure?
So, to make 1Password more convenient with the TouchID, I've set my master password timeout to 30 days and my TouchID timeout to 2 minutes.
Is this less secure than setting the master password to a shorter timeout (like 10 minutes)?
That is, is the 1Password database unlocked while the master password is not required? Or is the master password kept around in memory?
Using TouchID is better from a usability perspective (i.e., it's quicker!), and there is also less chance of someone seeing my password as I type.
Comments
-
When you use TouchID or the PIN feature, your master password is stored in a secure yet temporary state in the iOS device's keychain (based on the posts I've read here). As it flagged as temporary it's never backed up anywhere else. So your database is locked and it still can only be unlocked with your master password, it's just that using TouchID or a PIN unlocks the securely stored master password which is then used to unlock your vault.
So leaving 1Password or letting it idle for 2 minutes will lock your vault but your master password can be retrieved from its secure location using TouchID.
I'm pretty sure that's correct anyway.
0 -
Now I've read it through a couple of times, your explanation is very clear. Thanks for helping to clear up how it all works.
After reading this, then, I can't think of any downside to setting the master password timeout to 30 days and TouchID timeout to 2 minutes.
Thanks again!
0 -
AgileBits folks worry that if you don't enter your master password regularly, you run a greater risk of forgetting it. So I make sure I enter it at least once a day, to be sure. YMMV, of course.
0 -
Forgetting it is not an issue in my case since 1PW Mac doesn't not support a PIN function and I'm entering the same PW there several times a day
0 -
Hi @robot_kid
It looks like you've gotten some great advice here, I hope it's been helpful! Just to chime in with the "official" response, as @hawkmoth says, your Master Password is the only access point to your data. If you were to forget it (possibly due to lack of use) we would be unable to reset it for you. So we do want to ensure that you're not going to forget it simply because you never have to type it in. But I'm with you - I do not enjoy typing my Master Password in on iOS. Thankfully, I have to enter it several times a day on my Mac, so it's unlikely that I'll forget it due to lack of use. :)
It is also important to note that if TouchID (or your Quick Unlock Code, for users who do not have TouchID) fails, the Master Password will be deleted from the iOS keychain and you will be prompted for the Master Password.
I hope this helps, but we're here if you have any further questions!
0
