Password Update Policy

Hi @User_93854745

At present there is not; sorry. Perhaps that is something we can consider for the future. Thanks for the suggestion. :)

Ben

Welcome to the forum, @rob2342! Lars from the Security Team here. There are certainly competing and sometimes even contradictory pieces of advice available on a multitude of topics, and password practices are no exception. An example would be the way two versions of the same publication from a generally respected source - NIST - from different eras directly contradict one another on the advisability of frequent password changes. The newer version recommends against it in most cases:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

We concur with that advice, and in fact were advocating for it back when Bill Burr's original version of the guidelines that recommended frequent password changes was still in effect and considered common knowledge and best practice. Until this new version was released, it was much tougher sledding for us to explain what we believed were best practices when well-read users could point to NIST's own guidelines that differed from what we suggested. We are glad to see their recommendations in alignment with ours now. And in fact, in the updated (current) guidelines, the very next paragraph reads:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

In 2003, 1Password did not exist, and neither did any of today's major players in the password manager space (that I'm aware of). Fast-forward to 2021, and one of the reasons this space (password management) is so robust is because humans are terrible at remembering dozens or hundreds of randomly generated passwords, and all of us have a lot more of them to remember/manage than we used to. In the pre-password manager days, it was still possible to generate passwords randomly, and to write them down -- but very few people did so. Instead, most people re-used passwords, or made minor iterative changes from one service to the next with the same base password as the underlying core - adding initials of the service or a digit to the end of the same password for different services, etc.

Today, using a password manager with a good CSPRNG allows even the least technically-proficient to create truly strong, unique passwords for every site and service, without having to worry about remembering them in their own head. As a result, what's a strong password today will remain a strong password tomorrow (and thus not need to be changed) unless either the service itself is breached, or the user is somehow socially engineered or tricked into divulging their password, or their device is stolen/hacked. Yes, it's not always immediately apparent that one's device has been breached -- but often, it is. And most reputable and competent companies with an online presence will responsibly disclose password breaches as quickly as they happen. As a result, we don't suggest people regularly change passwords generally unless they suspect (or know) that either they or the service in question has experienced a breach.

It's certainly a matter of personal choice (as it is in nearly everything), which guidelines and recommendations to choose and which to alter or ignore, and we don't deny there may be very good reasons for not taking a particular piece of advice on a topic, depending on one's own personal situation. In fact, I would argue that using one's own powers of discernment and judgment in assessing the applicability of various guidelines/recommendations to one's own situation is practicing good security, in most cases. And if users want to change passwords on a set schedule or whenever else feels comfortable, 1Password will be right there to help them by making it easy to change their passwords and make them stronger, then get right back to whatever they were doing. But - since we don't suggest changing one's passwords regularly - there are no current plans to build in the functionality User_93854745 was suggesting in the OP. If you're using 1Password for Mac, you can use Search Options to select age of last password change to find passwords that have not been changed in a certain time-frame, but on Windows or elsewhere, I'd suggest using calendar or task reminders to accomplish this for accounts where you believe it's beneficial.