1Password 8: account password required every 2 weeks?

2

Comments

  • Awesome. Thanks @volcom45. It is something I'm pushing for us to try out, if feasible. 🤞

    Ben

  • Backspaze
    Backspaze
    Community Member
    edited June 2022

    @Ben I'll quote myself below from this post, but if that request is out of the question, then sure, I'm all for syncing unlock time. Anything is better than the current state.

    I'm only interested in bringing back the option "after reboot" in 1Password 8 on iOS, as that was my preferred setting, but I understand the other use cases for those that want the "never" option as well. As long as it's implemented as an option tucked away in the settings, with (multiple) warnings when choosing the option, I don't see the problem. Hiding the setting somewhere deep down in a menu and having the warnings when enabling it should be enough to scare of the users who'll probably be most likely to forget their password.

  • skatch
    skatch
    Community Member
    edited June 2022

    @Ben thanks for following up and pushing for this. My opinion is that syncing the 2 week password entry period across devices would be a significant improvement over each device having an independent 2 week expiration timer. However it would still be a pain if the 2 weeks ended when I'm using my iPhone, and avoidable in my case since I use 1Password on my computer all the time. If possible, I'd rather see a system that takes into account the device type, and prioritizes password entry on physical keyboard-based devices.

    This is my situation:

    • I use 1Password on 2 computers every single day. I don't mind having to type my password here occasionally.
    • I use 1Password on my phone a couple times a week. I never want to manually type my password here for the reasons already stated (allowing for rare circumstances – e.g. my device's biometric enrollment has changed).

    I know that what I'm suggesting is more complicated than what you've proposed (needs thought around a lot of different device type combos & usage frequencies). But if the goal is to make the use of a password manager frictionless, I feel that taking into account where password entry is requested is important. However, if this level of nuance isn't possible, then your "sync 2 week entry period across devices" proposal would at least do a lot to reduce the pain of the currently implemented biometric timeout.

  • @Backspaze

    Thanks for that. I don't know that "after reboot" is completely off the table, but based on the current discussion I think this proposal is more likely to be the one to run the gauntlet.

    @skatch

    Great idea. One of our developers had thoughts along the same lines. Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop. This would make it much more likely that the prompt for MP hits your desktop devices vs mobile devices, particularly for those such as yourself that are regularly using a desktop.

    Ben

  • DenalB
    DenalB
    Community Member
    edited June 2022

    @Ben
    Thanks for your suggestion. I think it will help a lot, although it's not that perfect as it sounds. But it is better than typing the password on every device after 2 weeks... 👍

    EDIT:

    but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop

    Sounds much much better. 😘

  • skatch
    skatch
    Community Member

    Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop.

    This seems like a good idea! 🙂

  • Fingers crossed. 🤞 😃

    Ben

  • Kakkoister2
    Kakkoister2
    Community Member

    @skatch You're setup is very similar to mine, I agree if I'm typing it out on my computer constantly, would prefer less on mobile with the Pin option.

    @Ben thanks for keeping us updated on this!

  • mick99
    mick99
    Community Member

    @Ben
    I really don't want to be forced to ever type my master password. I can use biometrics or yubikey but please don't force me to type the master password every 2/3 weeks. I like the idea of adding this as a hidden feature under some developer options for power users if you don't want to make it available for everyone.

    I just don't get the reason you want to force users to type their passwords. When I created an account I was instructed by 1Password that I should make a copy or print the password and store it in a safe place. I've generated secure, long master password because it's the most important password after all. If someone has access to it, they have access to all my passwords. I don't want to change my master password to something sort/easy so that I can type it quickly, especially on mobile.

    Btw have you considered a case where the 1Password user wants to login onto some website and they are forced to enter their master password in a place like a bus or other place where someone may be watching what you're typing? A thief can just see the master password that way, then stole the device and access whatever they want.

    It seems like LastPass found a better, more convenient way for handling this:

  • Poison
    Poison
    Community Member

    I doing my yearly research on password managers and stumbled over this thread.
    My suggestion: Just make an option „Never ask for master password“ and let the user double opt it.

  • chrisrosa
    chrisrosa
    Community Member

    I think the idea that this every two week system will assure that people know their master password isn't really well thought out. This feature is particularly annoying when running with two accounts, because they both lock out at the same time. Luckily I can look up both on my phone and (continuity) copy/paste, but I would prefer a single unlock password like we used to have with 1Pass7. Maybe Yubikey or "authenticate on authorized device" type system would work too.

  • clakulus
    clakulus
    Community Member

    Just chiming in to say that I hope the suggestion of synchronising the reset period and extending the period to three weeks on mobile is considered as having to enter the MP on mobile defeats the entire purpose of AutoFill, especially seeing as the device is already secured with a password and biometrics.

    Thanks

  • philippemercure
    philippemercure
    Community Member

    @Ben It doesn't solve all case. If you are primary working on MacOS, use Touch ID every day and then, at the end of the 2 weeks window go out and need to access 1Password on your iOS device. You still have a chance that 1Password would require you to manually provide the password on iOS. Which isn't great. It's still a step in the good direction. You could had logic that would know if the user is using both MacOS and iOS, then only ask the password on MacOS in the 2 weeks windows and allow a 4 weeks window on iOS. You would have more chance to input your password only on MacOS, when not in a rush on iOS. Or just allow a window of 4 weeks across all devices. At least we would have to input it 12 times in a year and not 26 times. Thanks.

  • mick99
    mick99
    Community Member

    The world (Apple and Google) is going into a direction where passwords are not needed. A password manager should be a thing that lets me stop thinking and worrying about passwords. Master password should be very strong, if I'm forced to enter it then I have to remember it or keep it on a paper that I'm carrying with me everywhere, another solution is to have a weak master password. It defeats the purpose of having a password manager in the first place.

  • sectwykr
    sectwykr
    Community Member

    I'd also like to add a big +1 to the situation where you have more than one 1P account. I've used 1P for years, and convinced the company where I work a few years back on using it too - so I'm logged into 2 separate 1Password accounts constantly (primary: personal, secondary: work).

    With 1Pv8, now when I'm forced to re-auth (with my strong but memorable passphrase) every 2 weeks - it's a real pain especially on mobile, but I cope.

    However, what really bothers me is that I'm never prompted to log back into the 2nd (work) account. Instead, I'm forced to go through a convoluted process to get it unlocked (have to use the program menus, select Accounts, then select "Sign in to another account", then go to "Sign in on 1Password.com" for some reason, then click on a web link that takes me back to the app (???), then finally I get to authenticate). I don't even bother to try that on my mobile device anymore, which as everyone noted can be a pain for other reasons.

    I seriously hope at least the latter issue can be addressed - and agree that the "until reboot" option, at the very least, should be given to the users - rather than force-treating everyone as being incapable of remembering their master password :)

  • Manaburner
    Manaburner
    Community Member

    Today another 2 weeks seems to have passed and I was forced to enter my master password again while I was trying to use autofill in the German DHL app.
    What I then did was open the 1Password App and enter my MP there. However this does not seem to have unlocked autofill in the app, i.e. I am still asked to enter my MP there.
    Is this intended to work that way or is this a bug?

  • N33EKe3KWQJcpGdqLFh6
    N33EKe3KWQJcpGdqLFh6
    Community Member

    Echoing @sectwykr thoughts entirely. I have multiple team accounts for my clients, having to re-enter my password, which is long convoluted and secure, into all my devices every two weeks is a horrid experience. I love with 1Password since almost day 1, and never had an issue with remembering the master password... why now? Please give us the option to turn this off, you are costing us time and creating frustration. Not productive.

  • clakulus
    clakulus
    Community Member

    It’s even more horrid seeing as not only do you have to enter the master password every two weeks, if the prompt appears when using Safari AutoFill (my primary use for 1P), you then have to manually open the 1Password app and enter it there too, otherwise it will continue prompting for the password every time.

    I get that this is a limitation of apple’s AutoFill API, but surely there’s a better solution to this, at least the aforementioned timeout sync and additional grace period that would hopefully minimise the chances of having to enter the MP on mobile at all.

  • chrisrosa
    chrisrosa
    Community Member

    Any update on this? This new feature is such a PITA, and for whatever reasons seems way more frequent than 2 weeks.

    Users should have the option to opt out or in to these kind of QoL features. Everyone has their own unique level of security requirements, and this may vary by vault even.

  • rowatt
    rowatt
    Community Member

    I have a long passphrase for my 1password account. Typing it is ok on my mac, a pain on iOS.

    The biggest pain, though is being asked to do this at inconvenient times. Having awareness between mac and iOS would be great and, hopefully all but eliminate the need to type in on the phone. It doesn’t, however, stop me being asked at inconvenient times (especially if someone could see my typing). Could 1Password allow skipping verification for a while?

    For example:

    • two weeks after last verification a banner shows in 1pw asking me to verify. I can do it at my convenience. After, say, another 2 weeks if I haven’t verified, then I am forced to as currently.
    • And/or use notifications to prompt - particularly for people who rarely open the main app.

    I’d also be interested to know why two weeks was chosen. Is there evidence that if the period is longer a significantly higher number of people forget their master password?

  • CarOli
    CarOli
    Community Member

    I really can't understand the 1password team's arguments. If you want to protect users who keep forgetting their password, don't have an emergency kit set up and no other means of loss protection...why are they bugging the whole community with it and force us into an undesirable situation without need. Just do a default setting with two weeks and leave the option to change it to whatever value we like - including never. You (1password) knowing what's best for me...a thing that will never work.

  • Qutrit
    Qutrit
    Community Member
    edited August 2022

    I only upgraded to 1password8 recently and just suffered the pain of being required to type my strong password on my phone in front of many people in a room with cameras in weird angles. Not something I feel comfortable doing. Please allow an advance option to not have to renew biometric passwords every two weeks on your phone in some form! Some of us have our own techniques not to forget strong passwords without having to be babied into having to type it every two weeks.

    Just wanted to add my voice here

  • mjumelet
    mjumelet
    Community Member

    I recently upgraded to v8, and feel really disappointed. I am a long time user since 2009 and use it multiple times a day, my master password is a long impossible to remember password which i keep on multiple physical places in a safe, and use it maybe once or twice a year, which was nice. I will have to change it to a less secure version, and I don't want to do this.

    I will have to switch to a different tool if this stays like it is.

  • jarrah31
    jarrah31
    Community Member

    I’ve just registered to add my +1 to say I too don’t like being forced to enter my master password every two weeks. The latest 1Password update now regularly prompts you to swap to v8, but as I set it up on my phone and saw the requirement for entering MP every two weeks, I immediately searched on here hoping there was a workaround, but alas there isn’t.

    Why does 1Password think that advanced biometrics such as FaceID isn’t a secure enough way to unlock the app for longer than 2 weeks? I can pay for £100’s worth of goods using FaceID on my phone which is trusted by banks as a secure and reliable authentication method. My bank account app only ever uses FaceID. Why should I instead have to enter my long and complex MP every two weeks?

    My wife and kids all have their own Vault, but they aren’t regular desktop users, so the idea to prioritise desktop password entry won’t work for them. They only use 1Password infrequently (at most once every 1-3 weeks), so they’re going to have to enter their MP every time they use it, which makes it impractical to use. I store their MP in my vault which is of course a complex pass that they don’t want or need to remember. I subscribed to the family tier because the kids would keep asking me for site passwords that I had in my vault, so I set up shared vaults so they could easily access those passwords. However with 1Password 8 they will just nag me again, but this time for the MP due to being forced to type it in every two weeks…

    I’m sorry but as a 1Password customer for over 10 years, and a current Family subscriber, I’m going to have to take a serious look at LastPass based on their more user friendly authentication method screenshot shown above. I will definitely stop my family subscription because my use case for it is now pointless.

    Thanks a bunch 1Password for thinking you know best…

  • CarOli
    CarOli
    Community Member

    IMHO the whole annoyance results from 1password forcing us into things instead of giving options and explanations. Giving options and explanation is polite education and and leads to deeper understanding - and everyone can tailor them to their own needs.

  • jarrah31
    jarrah31
    Community Member

    Agreed, give us an option to disable the 2-week password rule (at least so that it only asks after a reboot), but give dire warnings about forgetting the password, making the user accept at least two prompts asking if they are sure, and double warn them the consequences of forgetting their master password.

    Please, if you are reading this at 1Password, don’t make everyone suffer just to cater for a few fools who don’t manage their MP properly. Just surround the option with lots of warnings to make those who might forget their MP think twice before changing it.

    Unfortunately if you remain steadfast on this path (as your comments in this thread allude to) you will loose another long-term customer. I’m now actively testing LastPass and Bitwarden as both look like excellent alternatives. If the 2-week rule is still in place by the end of the year, I’m taking my subscription money elsewhere. :(

  • broesph
    broesph
    Community Member

    I started using 1Password a couple months ago for work, was quite happy with it and switched my personal vault over from LastPass too. Then, I recently upgraded from 1Password 7 to 1Password 8 and ran into this nonsense.

    I registered a forum account just to +1 this thread and voice my complaint.
    Being forced to re-enter my master password every 2 weeks is extremely frustrating.

    This is fine as a default setting, but you should give users with hardware-backed keystores the ability to change this.
    Note that the multi-account UX is even more terrible, I never saw a prompt to re-enter my password for my personal vault on my work computer, as @sectwykr pointed out I had to go digging into menus to find this.

    Please fix this, AgileBits.
    If you don't, I'll be switching over to something else.

  • etheberge
    etheberge
    Community Member

    Reposted from Android thread:

    I just installed 1Password 8 on my new phone and immediately noticed this forced two week master password timeout. I've been a very satisfied paid family plan subscriber since 2016, and a individual plan subscriber for a few years before that. I just want to chime in and let you know that if this change isn't reverted / improved upon quickly, I'll be looking into canceling and moving to the competition.

    Forcing users to retype a password that is by nature long and complex on a mobile device at unexpected times, when you're on the go, busy, etc is a MAJOR inconvenience.

    I've read the discussions from staff members here and in other threads and I understand the reasoning for enabling this by default, however removing the option to change the behavior at all is plain dumb. I get that this is to avoid support calls from angry people that forgot their password, but at some point folks need to take responsibility for their actions. The implications of losing your master password are quite clearly explained when setting up an account. Annoying your whole customer base for the vast minority of forgetful / unprepared customers is not a good move.

    At the very minimum we need the option to only have to enter the master password at reboot, this would still be slightly annoying but acceptable. Syncing the last typed time from Windows/Mac/Linux clients would also be acceptable. Bringing back the "never" option would be best.

  • ricsto
    ricsto
    Community Member

    I've just updated to 1password 8 so it's a "+1" from me i.e Give the customer the option to disable the check. I've been a customer for years and have a very complex password to access my account. I'd like to make the choice whether I have to enter the password once every 2 weeks instead of having that choice made for me. Based on the comments on this thread it seems many are like myself in that the complex password is a bitch to type on a mobile screen.
    I've worked in security for over two decades and the net result of this decision will be a user choosing a simpler and weaker password.

  • ide
    ide
    Community Member

    Have folks with multiple accounts (ex: personal and work) found you’ve needed to enter each account’s password every two weeks?

This discussion has been closed.