Master Password required to be entered every 2 weeks on Beta 8.5.0

chilston
chilston
Community Member

On the beta Mac version 8.5.0, there is no way to disable "Master Password required to be entered every 2 weeks". Could you give me a way to do that?


1Password Version: 8.5.0
Extension Version: Not Provided
OS Version: Mac OS 12.1
Referrer: forum-search:2 weeks

Comments

  • Hey @chilston:

    Great question! The short version is we don't want you to be in a position where you've ever forgotten your account password, so requiring it every few weeks helps ensure that you remember it.

    Just as an FYI, I've moved your thread to our beta section! :smile:

    Jack

  • XIII
    XIII
    Community Member

    It's a bit annoying on macOS, but will be super annoying on iOS/iPadOS.

    Please don't do it there!

    I'm afraid people will start using less secure master passwords because of how you handle this...

  • chilston
    chilston
    Community Member

    210 / 5 000
    Résultats de traduction
    Normally I use 24 character passwords with symbols. Now with your obligation I have to choose a much shorter memorable account password. Where is the advantage then???

  • rpallred
    rpallred
    Community Member

    but will be super annoying on iOS/iPadOS.

    It's already this way on iOS and has been for a while--if you restart the phone, or every two weeks you have to login again.

  • Hi folks,

    I think the ideal would be for this to be a two week timer, reset any time you type your account password on any device. There are some technical hurdles to implementing that, but they may be surmountable. The point is to help ensure you have your Master Password memorized, not to punish you for using a device with a tiny virtual keyboard. 😆I'm not in a position to make any promises but this is a pain point we're aware of, especially for folks who use 1Password across a lot of different devices (such as ourselves!!).

    Ben

  • sille
    sille
    Community Member

    On an iPhone or iPad, you can set it so that the master password is never needed

  • I would caution that "never" is a fairly misleading term there, unfortunately. It doesn't disable/turn off/obviate the need for your account password, and there are still circumstances where you'll have to type it. It just makes it so there isn't a set timer for having to do so.

    Ben

  • pixycz
    pixycz
    Community Member
    edited August 2022

    don't want you to be in a position where you've ever forgotten your account password…
    help ensure you have your Master Password memorized…

    Oh my, such this social engineering again… Could you stop beeing so overprotective and allow your users a free will including freedom to fail? This [profanity removed by moderator; this is a family friendly forum] makes me only hating 1Pwd more and more every time I'm forced to type my master password every other day. Mostly on my iPad when I really hurry to login somewhere. My comp never leaves my house and my security is only my problem, not yours. It's fine if you give me tools to make my life more secure – that's great, I'll really appreciate that and I'm willing to pay for it. But in the moment you start to force me using them it's just annoying. And 1Password is sooooooo annoying from this perspective. All the automatic logouts from my browser and from my tablet are the only reason I started to think about 1Password replacement.

    Do you really believe you do this for our better good? PLEASE, stop thinking your users are idiots you must care for.

  • As a service you trust with securing your passwords and other sensitive data, we take your security seriously and are partially responsible for it. I hope we're able to find a more agreeable solution here. One idea is to make the timer global across your devices, such that unlocking on a desktop will reset the timer. I don't know how feasible that will be, but if it is, the thought is you may never have to enter your account password on mobile outside of the initial setup. Unless/until we can implement something like that, this is the best option we have to help ensure customers remember their account password, which is critical.

    Ben

  • pixycz
    pixycz
    Community Member

    That will help a lot, at least that.

  • Tertius3
    Tertius3
    Community Member

    Until yesterday, I thought it is arbitrary and pestering to require the master password sometimes, although a pin is set.
    Until I learned my father, always using the Windows hello pin on his computer, completely forgot his Windows password behind his pin. He didn't record it anywhere, even he thought he has. He used only the pin, for months, probably a year or longer. I had to use some recovery means to get him back into full usage of his account.
    So I admit it's actually a good thing to require the master password now and then to remind you to memorize it.

  • Thanks for sharing that anecdote, @Tertius3. Indeed; this was a common case before the requirement was added, and has significantly decreased since adding it. 1Password intentionally cannot recover your account password if you forget, making it that much more important.

    Ben

  • zzyzxd
    zzyzxd
    Community Member

    As a service you trust with securing your passwords and other sensitive data, we take your security seriously and are partially responsible for it.

    I didn't have to trust 1password this much until now that I am forced to use the cloud service. Since the very beginning 1password had made it very clear that the user was the only one that's solely responsible for securing the vault, master password and secret key because the data is encrypted/decrypted locally. By requiring your users to enter the password more often, the responsibility structure does not change a tiny bit -- it only reduces your support cost because the average Joes will be less likely to forget the password and waste your support resource. What's worse, now you push advanced users to choose less complex passwords so they are easier to type in on smart phones.

    1Password has a lot of enterprise customers now, and you surely can understand that different businesses may have different threat models. My company has our own protocols to deal with forgotten or compromised passwords and it is not up to the vendor to say "No, you can't forget your password or terrible things will happen to you". In version 7, the "Never" option is hidden deeply in an advanced setting screen, why is that not enough? Why is "2 weeks" an ok threashold for every single user?

  • n9yty
    n9yty
    Community Member

    Um, VERY flawed thinking. I have multiple vaults, I have complex master passwords. Of course I don't remember them, but I have them available in case of an emergency, new install, etc. But now you are forcing me to put them on paper in front of the computer because I can't get to them any other way (they are stored, but not conveniently depending on where I am) once you lock me out.

  • Andrew42
    Andrew42
    Community Member

    I'm confused. When you set up 1P8 an Emergency kit is created which you are advised to print out and safeguard. On the page is an entry for your Master Password. The entry must be hand written unless you have a pdf reader that allows you to create text fields.
    That is 1P making sure you are safe, all this other stuff for making you not forget your password by forcing you to enter it every now and again is 1P in Nanny State mode.

This discussion has been closed.