Master Password Policy

If we change our master password policy from minimum (10 characters) to strong (14 characters). Will it lock out those that have passwords under 14 characters or will it enforce the new strong ( 14 character ) during next password change?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @fcalata_earnest

    The policy would be applied to people creating accounts within your organization and also when existing members change their Master Password. It would not lock existing members out if their password does not meet the requirements. :)

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • fcalata_earnest
    fcalata_earnest
    Community Member

    Hi @Ben. Thanks for that context. Our idea is to turn on 2FA for 1Password right after. Could you elaborate on the behavior once we change the policy and turn on 2FA for 1Password. I'd like to confirm there's no break in anyone's workflow resulting into a smoother change moving forward. Thanks!

  • Lars
    Lars
    1Password Alumni

    @fcalata_earnest - I'm not quite sure what you're looking for. Bumping the Master Password policy to 14 characters is a good idea all on its own, but anyone on your team can turn on 2FA if they wish already. What's enabled when you set your Master Password policy at 14 characters is the ability for Owners/Admins to require 2FA for all team members. There should be no change or disruption in anyone's workflow -- the policy (as Ben mentioned) will be that new team members will need at least 14 characters, and any existing members who either choose to change their Master Password or get put through Recovery will also need to use at least 14 for their new Master Password. And everyone will need to enable 2FA, of course. But no one should experience any disruption. Let us know if you run into any snags, however.

  • Lars
    Lars
    1Password Alumni

    @fcalata_earnest - I just realized that you may have been asking a different question than I thought. If you meant: would anyone's ability to use 1Password be affected, then my above answer stands. But if you meant whether people who do not have 2FA turned on yet would have to stop what they are doing, and set it up? Then yes (with a caveat, which I'll explain). In other words, once you "flip that switch," all signed-in client apps/browsers will discontinue their current session, and require the setup of 2FA before a user can sign in again.

    Having said that, if a user is already signed in within a 1Password app (instead of a browser), they can dismiss the 2FA setup requirement and still access the local store of their data, if urgent work is in progress. But until they either set up 2FA (if not yet set up) or authenticate with 2FA, they will not be able to sync with the server and receive or send any changes to data until they do - on every device where they're signed in. You only need to authenticate once with 2FA on each device...but you do have to do it once.

  • :+1: :)

    Ben

This discussion has been closed.