how do I set an expiry for a login
My bank requires me to change my password every xx days - how do I set a reminder
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:expiry
Comments
-
Welcome to the forum, @robertbellster! I'd recommend using Apple's Reminders app, or any other calendaring/GTD/to-do program you may prefer. :)
0 -
Not a bad idea, danco. It can't hurt to do so if you would like to.
0 -
That would be awesome! Currently I do the following steps....
1.Make a tag for 3 months, 6 months, 1 year or what ever.
2.add all passwords to be changed to this tag
3.Open Ical, create a reminder, and name it 1P3month etc, set date in future based upon time frame, use reoccurring event if you desire.
4.When times up open 1P sort by tag and proceed to change those passwords.0 -
Security experts do not recommend changing passwords at arbitrary times, as it encourages bad behaviour and offers no security benefit if there is nothing wrong with the existing password. But if you have to do it, that sounds like a good plan. Cheers! :)
0 -
It really offers no security. What if somehow someone has this password? By changing it you prevent this user from ever logging in. If you are using true random passwords this prevents bad behaviors like using same passwords just 1,2,3 on the end.
Not sure how you could suggest this is not recommended. I change a sites password once every 2 months, its random, it prevents old passwords from getting in. If your password leaked in a database breach they don't tell you about you're protected.
Can you point to this article that says don't change your password every so often?
0 -
@MrCaspan - sure! There's really no "article" per se from NIST directly, but here’s an external article that summarizes the new instructions (which differ from the older ones from the early 2000s), along with a link to NIST’S actual new guidelines (considerably lengthier). Hope that helps. :)
0 -
i did find this from 3 years ago though https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
I guess what he is saying for regular users forcing a password change on them forces them to use password01, password02, password03 etc making the password just as weak as before Bu the one thing that I will argue is if you are using 1password you are not an average users and you know to use random passwords and this would kick out anyone that might happen to have got a hold of an old database copy of lets say a password file. All you passwords are sitting in one place in 1Password. what if someone gets a copy of that? By changing your passwords every so often, like an RSA key fob you protect yourself from the past!!
Now for sites that have 2FA I don't have to change my password because basically Password+6 digits that change every 30 seconds can not be guessed as good but I store my 2FA in Authy cloud so i still have to change those passwords again in case someone gets my 2FA tokens. In my opinion i just change passwords every 2-3 months and i know they are secure to the best of my ability.
Also 1Password lets you store your 2FA token with your password which is just WRONG BTW LOL Still no idea why you guys included this, you circumvented the point of 2FA!!
0 -
Also 1Password lets you store your 2FA token with your password which is just WRONG BTW LOL Still no idea why you guys included this, you circumvented the point of 2FA!!
This post addresses that:
TOTP for 1Password users
In my opinion i just change passwords every 2-3 months and i know they are secure to the best of my ability.
That's certainly your prerogative, though it it not something that we recommend.
Ben
0 -
Thanks Ben , can you explain why if you are using a random password it would be worse/less secure to change your passwords regularly?
0 -
@MrCaspan - when people become 1Password users for the first time, we actively encourage them to change their passwords everywhere -- but that's because they've typically been using the same three or four passwords everywhere prior to beginning to use 1Password, so it's a highly recommended expenditure of time...once.
And certainly, once you're using 1Password, the whole point is that it's much easier to generate long, strong, truly random passwords that you don't have to memorize, which puts you miles ahead of nearly any other user who would have to be trying to remember or otherwise keep track. So you certainly can continue to change your passwords frequently despite what NIST now says, if you wish. But the potential for problems remains (for example: you generate the password within 1Password but don't save it at the site, or you save it at the site but forget to update 1Password, etc). And that's not to mention how time-consuming the task of changing all your passwords everywhere, every X months is. I'm well aware I'm an outlier case, given how many test accounts and the like I have as a result of my job here (and just generally being a heavier-than-average internet user), but I currently have 719 active Login items in all my vaults combined. That's a not-inconsiderable amount of work, and many, many opportunities for something to go wrong.
I guess I would ask you to consider what benefit you think there is to changing all your passwords on a set schedule even when you have no reason to suspect they've been breached or compromised, and they're already long, strong and random? If you can make up a list of reasons that in your opinion outweighs just the top-line reasons why doing so isn't necessary or even a great idea, then by all means, have at it - you've got the best tool already in your arsenal to engage just such a task. We just don't think it's necessary for most users to do so, when they've no knowledge of nor reason to suspect a breach/disclosure of their passwords.
0 -
Thanks @Lars great points. I would be scared of the fact that companies don't always tell you when they have been breached. As you said that is up to me to weigh that. It's funny though as a security product that you don't take the stand point of "Assume your passwords get breached all the time" LOL
I get what you are saying though! Thanks for the input and I have about 400 active passwords as an IT professional and all my clients friends and family's across multi products !! I was looking for the expire feature also I remember KeePass had.
0 -
I was looking for the expire feature also I remember KeePass had.
Yeah, this is never likely to be a thing, since long before the new NIST guidelines, we'd been recommending against the previous ones (that DID suggest frequent password changes). We've never considered it a good idea and I doubt that's likely to change now.
It's funny though as a security product that you don't take the stand point of "Assume your passwords get breached all the time"
We try to make our security recommendations as real-world as possible. There are certain situations for which the most appropriate posture is: "assume the worst" (like never sharing your Master Password with anyone else), but there are many other situations (and this is one of them) where spreading FUD by adopting a "sky is falling" approach not only isn't accurate, the corresponding recommendations that would accompany such an approach are also not necessarily all that helpful in most cases and can actually result in some users winding up taking steps that can get them into trouble.
0 -
:+1:
Ben
0
