Feature request: password rotation

helloworld
helloworld
Community Member

I am really disapointed to see how many times this feature was requested and still rejected with very weak arguments.

I always see the team replying "There is no interest in changing a long-strong password". To be honest that kind of statement worries me. I start to seriously wonder how good at security the 1password team is...

We don't always know if a password has been compromised. In fact we most of the time do NOT know. So the only sensible thing we can do is to say that each password has a probability to be compromised. And that probability do increases with time and usage. A password used everyday for 20 years has a far higher probability to be compromised than a brand new password that has been used a single time.

After a certain age of the password, I consider the probability of being compromized to be too high. I would like 1password to support me, by at least telling me the list of password that are too old. (the age limit, should be configurable by the user)

Please allow us to have password rotation!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member
    edited November 2021

    Best password practice doesn't include password rotation any more. The risk connected with changing the passwords is higher than the risk that a not changed password could be compromised. Performing a password change is a higher risk than keeping the old password.
    See here https://arstechnica.com/information-technology/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/
    or here https://www.pluralsight.com/blog/security-professional/modern-password-guidelines
    or here https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

    While it is true that the longer a password is in place, the higher the risk it is compromised, it's also true the risk connected with performing a password change is an even higher risk. This might be a surprise, but that's what the experts found out in years of experience.

  • ag_ana
    ag_ana
    1Password Alumni

    @helloworld:

    Thank you for the feedback! Tertius3 put it perfectly here:

    Best password practice doesn't include password rotation any more. The risk connected with changing the passwords is higher than the risk that a not changed password could be compromised. Performing a password change is a higher risk than keeping the old password.

    Let us know if you have any questions :+1:

    When it comes to seeing old passwords, there might be a way to do that already by sorting items appropriately. What operating system are you using 1Password on?

  • helloworld
    helloworld
    Community Member
    edited November 2021

    I think you misunderstand these articles. They say that "foced regular change" is a problem. They say that we should not impose password rotation to other people. Because if we do so, people forced to rotate their password will start to use weaker passwords by including rotation metadata in the password itself (like the month, year, season).

    Bot none of these articles say that renewing your own random generated password is less secure than keeping the same password forever! That would be absurd.

    To be honest, I am quite worried to see that the security staff or 1password is not capable of understanding the difference between "imposed rotation for people that may not use randomly generated password" and "renewing randomly generated passwords".

    When it comes to seeing old passwords, there might be a way to do that already by sorting items appropriately. What operating system are you using 1Password on?

    That would be great! How can I do that?

    I am on Linux.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited November 2021

    @helloworld I understand your concern and also understand why 1Password might be reluctant to add a feature like this. Most users look to 1Password and their apps to guide them in how best to manage their passwords. Just having the ability to sort by last password change date/time leads the user towards rotating old passwords which in most cases is pointless. And it can be counter-productive because people may decide that using a password manager is just too much work.

    In the early days of the internet there were lots of opportunities for passwords to be intercepted, for example, when entered on HTTP webpages. Today HTTPS is common place and the only real opportunities for interception are phishing attacks or compromise of the users device or the web server.

    If its phishing then the user should change the affected password as soon as they become aware. If the user's device has been compromised then when they become aware and fix the issue then they can set about rotating all their passwords, irrespective of last change date/time.

    If the issue is with the server then when the leak is fixed and the breach is announced then users can rotate the password for that particular site. Doing so any sooner doesn't help secure your data and given that the delay between data being lost and being used by attackers may be minutes, hours or days, its simply not practical to rotate your passwords quickly enough to make any difference to the outcome.

  • XIII
    XIII
    Community Member

    Please allow us to have password rotation

    You can already manually change any password you like, including your master password.

    How would the rotation feature work, without enforcing users to change their password (with a certain frequency)?

  • helloworld
    helloworld
    Community Member
    edited November 2021

    You can already manually change any password you like, including your master password.

    How would the rotation feature work, without enforcing users to change their password (with a certain frequency)?

    Of course I can change any passwords I like. But I have hundreads of them. I thought 1password could help me at managing that.

    1password could tell me the list of passwords that reached some age limit I defined, and possibly remind be about it (probably in the "watchtower" section). Maybe even when I use the login it could give me a friendly remender to tell me "hey btw this password is a bit old, you may want to renew it"

    I doesn't have to be imposed to everyone. It can be an opt-in feature. But, least people that care about it, would be able to use it.

    @rootzero Please make sure to read my initial comment. No matter how secure and recent are the technologies you use, the probability for a password to be compromised do increase over time!

  • [Deleted User]
    [Deleted User]
    Community Member

    @helloworld Any security strategy needs to define the threat model it is trying to defend against. I mentioned three broad categories of threat for which a regular password rotation doesn't help. Is there something else that you are trying to defend against?

  • helloworld
    helloworld
    Community Member
    edited November 2021

    @rootzero. Any of the threat models you mentionned. You may not now or noticed that you used an http site. Or you may not know that you have been victim of a fishing attack, the website may not know that they have had a breach. I (and 1password) may not be aware of an announced breach, I may not know that someone has successfuly scanned my password using any mean.

    As I may (and probably) do not know that my password is compromised. Then I instead consider that there is some probability that it is compromized. And that probability do increase over time! Given enough time I consider the probability to be too high and wanna change the password.

  • helloworld
    helloworld
    Community Member
    edited November 2021

    @rootzero Consider two extreme cases:

    Case A: all your passwords are 1 day old (all genrated with today's required entropy to make it safe)

    Case B: all your passwords are 100 years old (all generated with the entropy that was needed 100 years ago)

    Are you seriously trying to tell me that case A is not more secure than case B?

  • [Deleted User]
    [Deleted User]
    Community Member

    @helloworld You should not store any sensitive data on a HTTP site.

    If you have been the victim of a man-in-the-middle type phishing attack and are not aware, you could just be logging into the attackers fake website again. If your passwords are being capture by another unknown means then you could just be handing the new password to the attacker.

    If a website has been breached and the operators are not aware, changing your password doesn't help. The criminals already have all your data and you are just giving them the new password.

    If a website has been breached and the operators have repaired the leak then changing your password does help. However, any website where you store sensitive information has a legal duty to inform you of a breach. So you can afford to wait for that notification.

    There are defences against all of these things, but those defences don't involve changing passwords regularly.

  • helloworld
    helloworld
    Community Member
    edited November 2021

    Sorry, but at this point I am not here to teach you cyber security. I don't have time for that here.

    Now it is up to the 1password team to understand that it is a requested feature that would be helpful for users. If they don't understand that, I'll stopp sending them my money and I will use a different service that provides this functionality (because, it is supported by other solutions)

  • Tertius3
    Tertius3
    Community Member

    Let's take another approach: it's simply not feasible to regularly change a bigger number of passwords.

    When I started using 1Password, I took to opportunity and checked all of my logins. I found out I had some very old accounts that still had all the same "low security" password (that's how I started out 20 years ago). It was a chore to update all of these and some more with also very primitive passwords. With more than one I had to initiate their account recovery, because the changing didn't work. Either I forgot to save the newly generated password in 1Password, or I saved it but it was not accepted by the site, so I didn't know the previous password any more. This password recovery went through email usually, and this is a very insecure media compared to the direct entry over https.
    This will happen every time if you frequently change passwords, and this is the risk that is higher than keeping a password unchanged over long time. 1Password cannot help you with this, since every website is totally different with its password change page.
    And I don't even start to argue about the time investment involved with changing 100 passwords about every 1-3 months. It's grossly wasted time for nothing.

    You need to be careful with your passwords, absolutely, but you don't need to be paranoid.

  • ag_ana
    ag_ana
    1Password Alumni

    @helloworld:

    That would be great! How can I do that?

    I am on Linux.

    Coming back to your earlier question about sorting, you should see a sort menu with a few options in the 1Password desktop app:

    Perhaps sorting by Date Created or Date Modified would help in your case?

This discussion has been closed.