Feedback: Please provide option to ALWAYS keep 1Password logged in
I love 1Password and my move from PasswordBox. The only thing I miss: PasswordBox had an option to remain logged in between browser sessions - even if I logged out or restarted my computer. For a single-user home computer, this just makes things easier. At least give us the option. Please. Thanks!
Comments
-
Hi @FLHX_2013,
Our primary concern here is if we allow such a feature it could become possible to forget your Master Password. Should you ever reach a point where it is required and you've forgotten it you're pretty much screwed. There is no way to recover a Master Password or reset it - a vault where you don't know the Master Password is effectively lost. We've had to support people that can't access their vault any more and it's terrible because there is nothing we can do. We don't want to do anything that may increase the possibility of this happening.
The timers can be set so you're only unlocking the vault once per boot up or logging into your account as I suspect you already know. Maybe it won't seem as bad after an adjustment period?
0 -
Yes - that's a fine suggestion, just not my preference when it should really be on me to manage my master password so that scenario doesn't happen. I do appreciate your response - thanks.
0 -
Let me a few comments, @FLHX_2013.
Back in the old days, we actually had an option for exactly what you asked for. It was called "Never prompt for Master Password". (I think we killed this in around 2011). Not only did people forget their Master Passwords, but people even forget that they had ever set a Master Password.
As @littlebobbytables pointed out, our security design means that nobody – not even us – can get at your data without its Master Password. So if it is forgotten, that data is lost. Your 1Password Master Password is not like other passwords.
0 -
That is still the reason, why I stick with LastPass. Like I said in another post a while ago, there are a few things I like about 1Password and probably would switch, if only it had such an option.
Since I use a long complex password, I don't want to be prompted to enter it every time I boot up my computer, which is by the way only used by myself and additionally protected by whole disc encryption.
LastPass gives me a clear warning, when I check the box to save my login, which of course it should do, but at least they put the choice in my hand. And no, in about 7 years I never forgot my master password, even though it is very complex and I changed it a few times, but if I did, I would never blame LastPass for it.
Like I said back in my other post, I see some advantages in 1Password, but I don't want to buy a product that I feel bosses me around instead of letting me do my own decisions.
0 -
Hi @schluesselbund ,
Thank you so much for the feedback, I'm sorry that you feel that 1Password is not for you. Security and convenience is always a difficult balance, but here at AgileBits we want to ensure that we don't sacrifice security for convenience. Our users' data is just too important to us.
You mention using a 'complex' password to secure your data. I would suggest that if you choose to create a Master Password using Diceware, as described in Towards Better Master Passwords, you can create a password that is not only easy to remember, but also easy to type. When your password consists of 5 or 6 dictionary words instead of a jumble of letters and numbers and symbols, it's really not that much trouble to type it in when your computer re-boots. :)
If you have any other questions or concerns, we'd be happy to continue the conversation.
0 -
Hello Megan,
thanks for writing back and for the suggestion, which is generally a good advice for people who still want to use a password manager this way. However I just don't want to enter a password anymore at all, no matter if it is easy to enter or not and the reason is simply that I got used to this and you can't expect people to do something what feels like a step backwards. I think you could compare it to using TouchID on newer iOS devices, if I would have to enter my password for my password manager again every time I boot up my computer, it would feel like giving ip TouchID again, which I think 1Password supports, or do you have to enter your master password on iOS too on a regular basis?
Of course you have to balance security and convenience but in this case I think you should give the user a little bit more flexibility on the one hand because because there are people like me who just don't like if some choices can't be made by themselves, but I also see some advantages if you can save your login.
In my case since I actually almost never have to enter my master password for LastPass I made it longer and more complex than I might have made it, if I had to enter it all the time. The same goes for my iOS devices, since they all have now TouchID and I rarely have to enter their passcode I made it a real password now instead of the normally 4 digit code.
Of course probably not everyone should save their master password and for that it might be a good idea not to offer that in the normal setup process when you start using 1Password. I think a popup message with a clear warning when you check that option is fine, or you might even hide this function deep in the setting and give people some hints about locking the screen and maybe even using Filevault. But since this is clearly something that doesn't immediately compromise the security of 1Password and like I explained also might by an advantage if you use a more secure master password, this is just a function that should be there, otherwise as I said that would feel like doing a step backwards what I am not willing to do.
And since so far I only complained about that thing, just let me point out, what makes want to give 1Password a longer try: I did use a trial version some time ago for a few weeks and at least in my case and the websites I visit 1Password was more successful in filling out the forms, where even in case of just recently added websites LastPass often didn't really fill them out and I had to manually copy/paste them from the vault.
Also luckily for you it seems that many iOS apps since iOS 8 did integrate support for password managers and instead of just saying password manager they almost all the time mention 1Password or use the 1Password logo next to the login fields. So far when clicking your logo the LastPass extension always works too, but it took me a while to figure that out, so just that I don't have to remind myself all the time, that in such cases using LastPass over the share option works too, I like the idea of just using what is mentioned there. Like I said, good for you in that case ;-)
0 -
Hi @schluesselbund,
I'm just responding to let you know in a bit more detail how the security works in 1Password for iOS. It's true that in the iOS app you can set up a PIN or use Touch ID to access your vault. Which is open to you depends on how you have set up your iOS security. To use either requires that you have a Passcode set on your iOS device. No Passcode - you're forced to enter your Master Password each time. If you have a Passcode set but no Touch ID then you can set a PIN in 1Password for iOS. One incorrect attempt and you're forced to enter your Master Password. If you have Touch ID enabled you can activate Touch ID in 1Password for iOS which does allow for more failed attempts - I haven't pushed it myself.
Regardless, if you reboot your iOS device you will also be forced to enter your Master Password. As it stands we already have instances where people forget their Master Password because they've been using Touch ID and they're now completely locked out of their vault. We're talking about total loss - there is no recovery of a vault without the Master Password. It's why we put in the ability to request your Master Password on a more frequent basis rather than less frequent. The same could happen in OS X if we allow users the ability to avoid entering their Master Password by having the operating system store it. Then when for whatever reason the OS lets them down they're in the same position as those poor iOS users. It would be different if we were talking about access to a file that could be reset but encryption doesn't work like that. This is why were are extremely reluctant to return to a position where users may risk losing so much.
0 -
Hello @littlebobbytables,
thanks for writing back and explaining your position.
Of course it is too bad if people did forget their password and have no access to their vault anymore, but first of all this is exactly what I want and expect from a secure password management solution, that their is no way to access the data without a password and that there is no backdoor. The question is in this case, wether it your responsibility if they forgot their password and preventing this from happening has to go that far, to not allow saving it for logging in totally.
I think it is responsible enough to give a clear warning and hiding this option deep in the settings might be a nice addition and if people still from time to time forget their password, you shouldn't feel, that it is your fault.
Oh, and I came across another nice way to deal with this, do you know Authy? Authy is a nice app what you could say does for 2nd factor authentication, what LastPass and you are doing for passwords, you can use it like the Google Authenticator app, but it also syncs all websites you use it for on multiple devices. Of course if they get synced over the cloud, they get encrypted on your device and you should use a strong master password here too. However you can save this and login via TouchID if you need a token, so you don't have to enter it all the time. This might of course also put you at risk to forget it, however the way they deal with it is one, I can accept and so still use it as my favorite app to deal with 2nd factor authentication. Simply every few weeks when I run the app I get a popup message saying something like "This is a friendly reminder to make sure you still remember your password." and it comes with a field, where I can (not must) enter my password. I can enter it and Authy will confirm wether it is correct or not, but I can also simply dismiss the message window and move on. I can't trigger this reminder, it just comes up every few weeks, so unfortunately I can't share a screenshot of it, maybe later I can upload one here.
But anyway, like I said this is I think so far the best way to deal with this and a way I can in case of Authy live with, a message I can simply dismiss every few weeks doesn't bother me, and people who might be at risk to forget their password get a reminder on a regular basis.
I hope you can at least consider some changes in favor of people who like me, who just want to be more flexible in setting up their password manager. Like I said, I didn't forget my (long and complex) password in years and it feels just wonderful to have instant access to my vault everywhere. Also having to enter it after a reboot on the phone is probably not bad in some cases, but not even my banking app requires that and again I as a grown up responsible user would feel being treated like a child if I'd be using it now. Since I use TouchID on my phone, I use a real password instead of a PIN which I have to enter anyway when rebooting my phone, like my filevault password on my computer for me, this are precautions enough, after that I expect that everything else just works instead of getting in my way.
0 -
Hello again, I finally didn't forget to make a screenshot from the OPTIONAL password reminder of Authy, I uploaded it to this post as an attachment. You can enter your password there if you like and it will confirm if it is correct or not, but you can also dismiss it if you like.
This is for me the correct balance between showing responsibility and not getting in the users way.
0 -
Hi @schluesselbund,
I can certainly make the proposal, I just can't promise anything. Minds better than mine made the decisions we're debating here and they have to factor in the various demographics of our users and whether any particular feature would potentially cause more harm than good over the entire 1Password family. If we enforce we annoy people like you but we ensure everybody is entering their Master Password on a routine basis. If we prompt but allow people to dismiss do we end up risking more people forgetting their Master Password because it's in our nature to postpone stuff like that? I have a few apps for example that I do want to leave a review for but they always ask at the wrong time so it gets put off time and time again.
From my personal perspective, there is nothing worse than having to tell somebody we can't help them access their vault. They feel bad and I feel bad for them. If they've been dismissing that prompt technically I could point out that we've been trying to encourage them to remember and test that they remember but they're already feeling bad and that won't help them remember or feel any better.
It's tough. I'm not saying we don't reflect on certain decisions and decide we could do that better and this may be one of those, but it's also something that we have to be so very careful over.
I look at that prompt and wonder how many people are sensible enough to routinely test that they do remember their password or do the majority simply tap Ignore as I suspect they do (myself probably included). If it's essentially a "I told you so" it doesn't seem that useful to me. Again, just my thoughts on the matter.
Security will always be a very tricky and delicate subject matter :smile:
0
