Master password - request too often

hi there,

I am testing 1Pass for a while and it seems that I have a small "trouble" with windows app and firefox extension (or 1pass account options).

2 mentioned programs ask me for master password in shorter periods of time than they should.

1) in 1Password Mini (standalone app) auto-lock is set to 8 hours
2) in 1Password account auto-lock is set to maximum 300 minutes (1Password will lock in this browser when closed or after it is idle for 300 minutes.)

but even I had set options mentioned above the 1Password app is asking me for master password around one in 30 minutes.

what am I doing wrong?

all the best,
antoni


1Password Version: 6.7.457
Extension Version: 4.6.12.10
OS Version: Windows 10
Sync Type: Not Provided
Referrer: forum-search:ask for password

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    @antrus: It's your call, but 8 hours and 300 minutes (5 hours) seem like an unnecessary risk. Depending on your settings, if your computer goes to sleep on the screen saver is activated (often set after 30 minutes of inactivity), 1Password will probably lock. You can customize the settings in 1Password for Windows Settings > Security. Just keep in mind that those do not apply to the 1Password.com web interface. And anything that causes the page to reload or disconnect (the browser killing tabs you're not using, for example) will cause you to be logged out.

  • antrus
    antrus
    Community Member
    edited November 2017

    thanks for an answer.

    I am the only person who uses this particular computer so that was the reason I thought it would be useful to putting masterpasword in longer periods of time (btw what are the risk for setting such long lock-time at personal computer? hackers who take control on my PC?).

    I checked and it looks that 1Pass lock itself after screen saver is activated (in my case it is set to 20 minutes, but when I lock screen saver manually it 1Pass locks also).

    so where can I force 1 Pass not to lock at the same time as screen saver?

    best,
    antoni

  • MikeT
    edited November 2017

    Hi @antrus,

    btw what are the risk for setting such long lock-time at personal computer? hackers who take control on my PC?).

    Any random people walking to your computer while you're not next to it, remote desktop into your computer, etc. The more 1Password stays locked, the smaller the window of opportunity.

    If your system is compromised completely by hackers, 1Password cannot protect you. They can get into it other ways, like capturing your keyboard entries as you type your password, etc.

    so where can I force 1 Pass not to lock at the same time as screen saver?

    Disable the Lock when computer is locked option in your 1Password Security settings.

  • antrus
    antrus
    Community Member

    dear @MikeT

    thanks for an answer.

    I do not understand you completly.

    They can get into it other ways, like capturing your keyboard entries as you type your password, etc.

    The more 1Password stays locked, the smaller the window of opportunity.

    if hackers are able to catch my masterpassword by capturing my keybord entries means that if I lock 1Pass very often I have to enter Master Password more times than usual, hence I give them more possibilities to catch it. Am I right?

    best,
    antoni

  • Hi @antrus,

    if hackers are able to catch my masterpassword by capturing my keybord entries means that if I lock 1Pass very often I have to enter Master Password more times than usual, hence I give them more possibilities to catch it. Am I right?

    I've updated my post to clarify the two separate events.

    At this point, the game is effectively over. Once your system is compromised, the timer wouldn't matter and there's nothing we can do to protect you, nothing can.

    The auto-lock is designed to prevent someone else from going to your computer, export your data and leave without you knowing. If hackers can sniff your keyboard events without you knowing, they can wait any amount of time to grab your password.

  • antrus
    antrus
    Community Member

    dear @MikeT

    so if I live alone - no one has access to my PC, except my dog ;) - the size of auto-lock's time window does not really matter, right?

    if I want to be more secure I should then install some kind of firewall and/or antivirus software to prevent capturing any of my keyboard entries?

    best,

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    @antrus: I dunno, dogs can be pretty shifty...

    https://www.youtube.com/watch?v=T55ArHjeR1c

    But in all seriousness, antivirus software often opens security holes in systems, since they try to integrate so deeply with the OS in ways the vendor did not intend. "Update your software and OS regularly instead, practice skeptical computing" is fantastic advice, especially considering it fits in a tagline for the article I linked there. I can't say it better myself

    Ultimately though, it's your call. Just keep in mind that even if you use antivirus software, or practice good security by keeping everything up to date, that cannot protect you from yourself. There will always be new security flaws that are not caught by antivirus or patched in the OS. They catch up, but it takes time to develop and push updates out to everyone. So you're always going to be the last line of defense.

    That's why practicing good security hygiene is so important. If you let something in, either by visiting a shady site or installing something from an untrusted source, neither the OS nor security software can prevent this. You're in control of the machine — until you cede that control to malware.

    However, one way that 1Password can help in these situations is that if you do NOT open the app and access your data, it just sits there, encrypted, on the disk. This is why having 1Password locked until it is not needed can be helpful. It can't prevent you from giving the new owner of your machine — malware — access to your data, but that eliminates one attack vector at least.

This discussion has been closed.