1Password 8: account password required every 2 weeks?

XIII
XIII
Community Member
edited April 2022 in iOS

Please reconsider your decision to requires us to type our 1Password account password every 2 weeks on iOS/iPadOS.

I'm fine with typing that password every 2 weeks on my Mac and/or my PC (both with a physical keyboard) to make sure I don't forget it.

Typing my strong password with a touch keyboard is a major PITA!

In fact, I'm afraid this will turn out to be contra-productive, similar to big IT organizations requiring a new password every 90 days, resulting in people using less strong passwords...


1Password Version: 8 (all future versions)
OS Version: iOS/iPadOS

«13

Comments

  • Backspaze
    Backspaze
    Community Member

    In the old app, there's a setting for this under "Settings" > "Advanced" > "Security" > "Require master password..." where you can set it to to wide range of options with the most lenient option being "After reboot of the device". Considering that you now can configure 1Password 8 on Windows to use the TPM module to practically never have to type your master password again, even after reboots and updates, I'm guessing that the setting mentioned earlier will make a return?

  • Hi @XIII ,

    We have to balance the need for convenience with the reality that if we extend the limit some customers will not be able to remember their passwords and eventually be locked out of their data if they remove fingerprint information, get a new phone, etc. What we do recommend is choosing a password that is strong but yet not too difficult to type on a mobile device. A wordlist password is a good place to start.

    Regards,
    Kevin

  • XIII
    XIII
    Community Member
    edited April 2022

    Please show some love to users that run your Apps on multiple platforms. If I already type my account password on macOS (and Windows) regularly, typing it on iOS/iPadOS has hardly any additional value, but it is a major PITA on those specific platforms.

    In fact, I already type it every time in Windows (no Windows Hello on my very old PC).

    My current workaround: keep v7 installed, so I can copy the account password from there and paste it in v8…

  • skatch
    skatch
    Community Member
    edited April 2022

    +1. Requiring password on mobile devices every two weeks is quite a pain. And yeah, wordlist passwords make things easier, but they're also long, so you have to be super precise on a phone keyboard.

    The times when I have to pull up 1Password on my phone are often times where I'm in a rush and juggling other things (think: checkout counter while managing kids).

    Some alternatives I'd love for the team to consider:

    • As suggested by @XIII, don't require typing master password if you use 1pwd on another platform where you have to type it occasionally anyway (assuming 1password knows what platforms you log in with)
    • Take the approach Signal uses with their iOS app: they don't block you from using the app, but they prompt you like this occasionally (frequently at first, but at progressively longer intervals each time you enter it). You could do this anytime someone changes their master password:

    • Or just go back to letting users self-select to only type their master password never/after device restart.

  • acarling
    acarling
    Community Member

    I would agree that the default behaviour is a great default for most people, however it feels like a big regression to me that the advanced setting to "Require master password" (and the possibility to set it to "After device reboot" or "Never") seems to be removed.

    As an advanced user I have (a few) strategies to make sure I never forget my 1password credentials, and have made an informed decision to rely on the face id for my phone security as part of that set of strategies.

    I would very much like to possibility to keep having the great user experience I've enjoyed with 1Password since biometric authentication was added to the phones, going back to fumbling with passwords - always at the most inconvenient time - is not something I'm looking forward to.

    If you intend to ship 1password v8 with this regression I would hope you investigated other ways to make the user experience better, for an example entering the password on one of my devices could bump the timer on all other devices. Though I suspect just allowing me to store the password indefinitely in the iOS Keychain is much simpler to implement and less error-prone.

  • Kakkoister2
    Kakkoister2
    Community Member

    +1 for myself also of adding back the pin option, instead of the account password all the time, which I already type out on Mac regularly.

  • Backspaze
    Backspaze
    Community Member

    As @skatch mentioned, Signal's approach could be an option, but then again, Signal also lets you disable the reminders or disable the PIN code feature entirely. Sure it's "just a messaging app" and might not be as important as loosing access to your password manager, but the key thing here is that they are providing the option for the users to configure the app as they want, something that 1Password did in version 7 as well.

    And as @skatch also mentioned, the password prompt have a tendency to pop when you least need it, like when you're in a hurry. In 1Password 7 I have it configured to only ask for the password after a reboot since it's the closest you get to "never". But I've also chosen that option since then I'm in control of when it happens, because the only time I reboot is when installing an iOS update, which I do as soon as possible but only when it's convenient for me.

    I'd like to repeat what I wrote in my previous comment; considering that you now can configure 1Password on Windows to never ask for the password again by using the TPM feature, It would seem logical that you at least add the same setting and options in 1Password 8 for iOS as they were in 1Password 7. I don't mind if you hide the setting somewhere in a sub menu deep in the bowels of settings, as long as the setting is there for those who want it. You could even add a prompt when you configure the setting, similar to when you perform a factory reset of the phone, where it asks for confirmation 1-2 times, with a clear message/warning about how crucial it is to remember the master password and that you can't provide support if you manage to lock yourself out.

  • Hi everyone,

    Thanks for posting your different reasons and use cases. I'll pass this along for discussion and see if we can change this in the future. If it comes down to an inconvenience vs. locking many people out of their data, we'll usually side with the latter, but the compromises discussed here may turn out to be beneficial for everyone. I can't promise this will come, but I can promise it'll be discussed. Synchronizing when a user last typed their password and taking different authentication methods on different platforms does complicate it a bit, but it's worth discussing and seeing what we can do.

    Thanks everyone,
    Kevin

  • DenalB
    DenalB
    Community Member

    There was a discussion in February already, when v7.9.4 was released, because the "never option" was removed from the "Require Master Password" setting.

    https://1password.community/discussion/127160/never-option-removed-from-require-master-password

    Strange that in v8, the setting "Require Master Password" is completely removed now... 😮😕🤔

  • Backspaze
    Backspaze
    Community Member

    @DenalB thanks for bringing that up, as I wasn't aware of that thread. The discussion in that thread seems to have died out since the middle of March, but I noticed that @keinanesq had already mentioned some of the points I brought up in this thread as well, with the main inconsistent thin in all of this being the removal of the "never" option on iOS while at the same time adding the option on Windows. This inconsistency hasn't been addressed by AgileBits as far as I'm aware. Maybe @ag_kevin @Jack.P_1P @Ben or someone else from AgileBits could elaborate on this?

    I might add that I don't need or want the "never" option, hence why I didn't even notice the removal of that option on iOS. I'm only interested in bringing back the option "after reboot" in 1Password 8 on iOS, as that was my preferred setting, but I understand the other use cases for those that want the "never" option as well. As long as it's implemented as an option tucked away in the settings, with (multiple) warnings when choosing the option, I don't see the problem. Hiding the setting somewhere deep down in a menu and having the warnings when enabling it should be enough to scare of the users who'll probably be most likely to forget their password. And if you do forget it you have to rely on the emergency kit and/or other family organizer/administrator for help with gaining access again.

  • Hi @Backspaze:

    Thanks for following up! To clarify, even with TPM support enabled for 1Password 8 for Windows (creating a similar situation to "never"), after 2 weeks, you'll still be prompted to enter your account password. The same situation would apply if you hadn't restarted your device, or quit 1Password for 2 weeks if TPM support wasn't in use.

    I think the ideal here would be 2 weeks after you entered your account password on any device, not just the device you're currently using. I'm not in a position to make promises here, but it is definitely something we're aware of.

    I'll share your thoughts about "after device restart" being a selectable option for 1Password 8 for iOS as well.

    Jack

  • acarling
    acarling
    Community Member

    @Jack.P_1P

    Thanks for your response, I just had a small additional thought about the ”2 weeks on any device” structure.

    If you did that it would make sense to slightly tweak the timing based on type of device, to make cross-platform users most likely to have to enter their password on device with easier text input.

    Suggestion:
    Expire login on mac/pc/web after 14 days of no password entry on any platform.
    Expire login on mobile/ipad after 17 days of no password entry on any platform.

    (+3 days is intended to account for a full weekend of no computer use)

  • Hi @acarling:

    Thanks for your additional thoughts on that!

    Jack

  • tprattfl
    tprattfl
    Community Member

    I want to add my voice to this discussion. We are new to 1Password coming from a competitor. The 2 week requirement is a deal breaker for my wife and she wants to go back to the other password keeper. She wants a password keeper to "just work" and not bug her for the master password. Please let us know if this is going to change so we can decide whether to stay or go. Thanks.

  • DenalB
    DenalB
    Community Member

    Hi @tprattfl !

    The 2 week requirement is a deal breaker for my wife and she wants to go back to the other password keeper. She wants a password keeper to "just work" and not bug her for the master password.

    Same here! For me, it is okay to type in the master password. But my wife is using 1Password maybe only once a month. That means that she always has to enter the master password. Every time she has to enter it, I have to help her out because she is not remembering it. That's a pain for her and me... 😕

  • keinanesq
    keinanesq
    Community Member

    Hi Folks!
    Thanks @Backspaze for alerting me to this thread! There's seemingly a lot going on here, but am I to understand that next release of 1Password on iOS is going to force users to re-enter their master password every two weeks regardless of any other setting?

    If that is the case, that would be (to keep it family friendly and put mildly) sub-optimal. Folks have raised significant points as to why that's just not a good idea here and in the other thread. It would be a bizarre decision that is neither 'balanced' nor rooted in any scientific evidence of efficacy to achieve the stated 'users can't remember their passwords' goal. Moreover, and this is what is most troubling, it's making everyone more vulnerable and less secure.

    To keep this solutions orientated though, I'll echo support for an 'enter MP once and it applies to all systems' type of scheme. Entering the password on a computer, even as unnecessary as it is there too if you've got biometrics, is far more preferable than trying to type complex passwords on a phone.

    Hope they seriously reconsider this entire movement. Not sure even casual users are going to be okay with this. They do seem like they listen to folks every now and then, so maybe they'll see the pushback and adjust course.
    [Note: to the support folks monitoring these threads; no anger directed at you all. You've got tough jobs, so thanks for hearing folks out and passing along feedback to the developers.]

  • tprattfl
    tprattfl
    Community Member

    Thank you for adding your perspective to the thread. I also want to add a brief update that i believe others have mentioned as a suboptimal consequence of the "2 week" policy. I have had to change my master password to a easier-to-remember phrase as the insistence of my wife. Of course, that makes it less secure.

  • philippemercure
    philippemercure
    Community Member

    I would also like to had my voice to this. I have a master password of more than 50 characters, more then half of it that I don’t even know by hearts, since it is store in a Yubikey, the rest is in my head. I kinda consider my master password pretty strong. I also have a physical copy of my master password in the even of my death store somewhere that I could use if I wouldn’t remember my master password for xyz reason. For the sake of people already using strong passwords with 1Password, couldn’t you allow password above a certain length to not require the 2 week verification. If you think that 50 is not enough, pump it to 100 characters, I wouldn’t mind having a longer password. But I mind having the need to type my master password every 2 weeks because of people that are not able to remember their master password correctly. Thanks a lot. Philippe.

  • Kakkoister2
    Kakkoister2
    Community Member

    @philippemercure Have you considered ever making your Account Password a memorable Password from the generator? That's how I have mine set up, so much easier to remember and to type.

  • philippemercure
    philippemercure
    Community Member

    @tomatoshadow2 the beauty of my password is that even under torture, I couldn’t give you my password, 😛, just a fun fact. And also, I only need to remember part of my password, 😀.

  • winterqt
    winterqt
    Community Member

    I'd personally like to be able to reduce this limit; for example, to 1 week, or on device restart (like 1Password 7 allowed). Could this be considered for addition into 1Password 8? (I'm specifically talking about how the iOS app worked -- I'm not familiar with 1Password 7 on the desktop.)

  • XIII
    XIII
    Community Member

    Had to enter my account password today on my iPad when I quickly needed a password for a service.

    Very frustrating!

    I’m so disappointed that you let everyone suffer because some people forget their password…

  • MichalZ
    MichalZ
    Community Member

    Hello @ag_kevin and other 1Password team members,

    I've registered an account just to ask you to reconsider this decision.

    I think I won't add any new arguments to this discussion. I just want to say that it wasn't easy to convince my mother who is not a tech savvy person to start using a password manager. I had to explain why it's important and teach her how to use it on her devices. She and other members of my family, including me, are very happy with 1Password in general. The only complaint we have is regarding re-entering the master password. The "never ask" option on mobile devices is a huge benefit. I made sure we all have very strong master passwords and that we have them safely backed up. Please don't remove this option from mobile and add it on all other supported platforms such as MacOS.
    If you force us to re-enter the password every 2 weeks, users will have 2 options: either use a short, weak master password in order to be able to quickly type it and be productive, or switch to another password manager. In my specific case, I'll probably give up and migrate us all to some other password manager which makes me sad because I really like 1Password.

    I have an idea for you - make this option hidden, so that only advanced/pro users will be able to find/unlock it. Android OS enables developer options when you go to settings and tap 7 times on "Build number". You can do a similar trick and hide that option by default. Again - please don't remove this option, and add it on all other supported platforms.

  • N33EKe3KWQJcpGdqLFh6
    N33EKe3KWQJcpGdqLFh6
    Community Member

    Asking also. It would seem that several configurable options that were in 1Password7 are now removed in 1Password. The comment from @ag_kevin " I'll pass this along for discussion and see if we can change this in the future." seems a bit lacking on confidence to us long time users. Of course 1Password "can" change this feature, you just appear to not be willing to change it, despite many long time users asking. This feature appears to be one of many features lost from 1Password for the sake of 1Password been able to run on more platforms, not necessarily for the sake of the users.

    Entering the password on mobile devices is a pain.

    Tonight I hit something which I suspect is related: I had to not only login to my 1Password master account on all my devices, I had to login to each team account as well. This is not a good scenario, and I know people on my team that will simply create short easy to remember passwords to reduce the hassle this new hurdle creates.

    @MichalZ nails it: "If you force us to re-enter the password every 2 weeks, users will have 2 options: either use a short, weak master password in order to be able to quickly type it and be productive, or switch to another password manager."

    Why is the developer team trying so hard to turn us long time users away?

  • volcom45
    volcom45
    Community Member

    +1 to requiring password after reboot vs forcing it every 2 weeks. It does tend to happen at the most awkward times and takes up so much extra time. Like many others are saying, I type my master password in daily on my Win 11 PC, because I don't have Windows Hello. I also type it on my mac. I'm not going to forget my master password and want the choice of how often I'm required to enter on iPhone and iPad.

  • 6awfpa3i
    6awfpa3i
    Community Member

    +1 from me. If the dev team afraid user will forget their password, let make the password requiring be a default for an optional choice.

  • DenalB
    DenalB
    Community Member

    I type my master password in daily on my Win 11 PC, because I don't have Windows Hello.

    Same here with me!

    It would be great, if logging into the Windows app (or maybe the Mac app) is resetting the count for the 2 weeks on every device, so that I don't have to enter the master password on all other devices again and again. 😘

  • ag_kevin
    edited June 2022

    Hi all,

    Thanks for posting additional feedback and sharing your thoughts on this. While I'm fairly certain there are no plans to just allow Never on all devices, several of you have brought up the interesting point that you do manually type your password on other devices, so the reason for taking away Never isn't there for many of you. It is something we can explore, but such a feature requires a lot more planning and consideration. It makes this feature quite a bit larger and coordination between your devices must take place. I can't promise anything at this time, but it will be discussed.

    Cheers,
    Kevin

    ref: IDEA-I-1144

  • Hey folks,

    We're doing some brainstorming on the idea of having the last unlock time sync across devices, such that the account password would need to be typed every 2 weeks, but any device you enter it on would extend that timer. It's an interesting idea, in my mind. It helps mitigate the issue of people forgetting their account passwords because they aren't typing them, but also mitigates some of the pain of entering such passwords on mobile.

    I'd like to get an idea of how many of you this would (or would not) help.

    Ben

  • volcom45
    volcom45
    Community Member

    @Ben This would be huge for me! I'd love that idea entirely. I hope that you guys are able to put something like that in place. :)

This discussion has been closed.