1Password 8: account password required every 2 weeks?

I've just updated to 1password 8 so it's a "+1" from me i.e Give the customer the option to disable the check. I've been a customer for years and have a very complex password to access my account. I'd like to make the choice whether I have to enter the password once every 2 weeks instead of having that choice made for me. Based on the comments on this thread it seems many are like myself in that the complex password is a bitch to type on a mobile screen.
I've worked in security for over two decades and the net result of this decision will be a user choosing a simpler and weaker password.

Reposted from Android thread:

I just installed 1Password 8 on my new phone and immediately noticed this forced two week master password timeout. I've been a very satisfied paid family plan subscriber since 2016, and a individual plan subscriber for a few years before that. I just want to chime in and let you know that if this change isn't reverted / improved upon quickly, I'll be looking into canceling and moving to the competition.

Forcing users to retype a password that is by nature long and complex on a mobile device at unexpected times, when you're on the go, busy, etc is a MAJOR inconvenience.

I've read the discussions from staff members here and in other threads and I understand the reasoning for enabling this by default, however removing the option to change the behavior at all is plain dumb. I get that this is to avoid support calls from angry people that forgot their password, but at some point folks need to take responsibility for their actions. The implications of losing your master password are quite clearly explained when setting up an account. Annoying your whole customer base for the vast minority of forgetful / unprepared customers is not a good move.

At the very minimum we need the option to only have to enter the master password at reboot, this would still be slightly annoying but acceptable. Syncing the last typed time from Windows/Mac/Linux clients would also be acceptable. Bringing back the "never" option would be best.

I started using 1Password a couple months ago for work, was quite happy with it and switched my personal vault over from LastPass too. Then, I recently upgraded from 1Password 7 to 1Password 8 and ran into this nonsense.

I registered a forum account just to +1 this thread and voice my complaint.
Being forced to re-enter my master password every 2 weeks is extremely frustrating.

This is fine as a default setting, but you should give users with hardware-backed keystores the ability to change this.
Note that the multi-account UX is even more terrible, I never saw a prompt to re-enter my password for my personal vault on my work computer, as @sectwykr pointed out I had to go digging into menus to find this.

Please fix this, AgileBits.
If you don't, I'll be switching over to something else.

Agreed, give us an option to disable the 2-week password rule (at least so that it only asks after a reboot), but give dire warnings about forgetting the password, making the user accept at least two prompts asking if they are sure, and double warn them the consequences of forgetting their master password.

Please, if you are reading this at 1Password, don’t make everyone suffer just to cater for a few fools who don’t manage their MP properly. Just surround the option with lots of warnings to make those who might forget their MP think twice before changing it.

Unfortunately if you remain steadfast on this path (as your comments in this thread allude to) you will loose another long-term customer. I’m now actively testing LastPass and Bitwarden as both look like excellent alternatives. If the 2-week rule is still in place by the end of the year, I’m taking my subscription money elsewhere. :(

IMHO the whole annoyance results from 1password forcing us into things instead of giving options and explanations. Giving options and explanation is polite education and and leads to deeper understanding - and everyone can tailor them to their own needs.

I’ve just registered to add my +1 to say I too don’t like being forced to enter my master password every two weeks. The latest 1Password update now regularly prompts you to swap to v8, but as I set it up on my phone and saw the requirement for entering MP every two weeks, I immediately searched on here hoping there was a workaround, but alas there isn’t.

Why does 1Password think that advanced biometrics such as FaceID isn’t a secure enough way to unlock the app for longer than 2 weeks? I can pay for £100’s worth of goods using FaceID on my phone which is trusted by banks as a secure and reliable authentication method. My bank account app only ever uses FaceID. Why should I instead have to enter my long and complex MP every two weeks?

My wife and kids all have their own Vault, but they aren’t regular desktop users, so the idea to prioritise desktop password entry won’t work for them. They only use 1Password infrequently (at most once every 1-3 weeks), so they’re going to have to enter their MP every time they use it, which makes it impractical to use. I store their MP in my vault which is of course a complex pass that they don’t want or need to remember. I subscribed to the family tier because the kids would keep asking me for site passwords that I had in my vault, so I set up shared vaults so they could easily access those passwords. However with 1Password 8 they will just nag me again, but this time for the MP due to being forced to type it in every two weeks…

I’m sorry but as a 1Password customer for over 10 years, and a current Family subscriber, I’m going to have to take a serious look at LastPass based on their more user friendly authentication method screenshot shown above. I will definitely stop my family subscription because my use case for it is now pointless.

Thanks a bunch 1Password for thinking you know best…

I recently upgraded to v8, and feel really disappointed. I am a long time user since 2009 and use it multiple times a day, my master password is a long impossible to remember password which i keep on multiple physical places in a safe, and use it maybe once or twice a year, which was nice. I will have to change it to a less secure version, and I don't want to do this.

I will have to switch to a different tool if this stays like it is.

I only upgraded to 1password8 recently and just suffered the pain of being required to type my strong password on my phone in front of many people in a room with cameras in weird angles. Not something I feel comfortable doing. Please allow an advance option to not have to renew biometric passwords every two weeks on your phone in some form! Some of us have our own techniques not to forget strong passwords without having to be babied into having to type it every two weeks.

Just wanted to add my voice here

I really can't understand the 1password team's arguments. If you want to protect users who keep forgetting their password, don't have an emergency kit set up and no other means of loss protection...why are they bugging the whole community with it and force us into an undesirable situation without need. Just do a default setting with two weeks and leave the option to change it to whatever value we like - including never. You (1password) knowing what's best for me...a thing that will never work.

I have a long passphrase for my 1password account. Typing it is ok on my mac, a pain on iOS.

The biggest pain, though is being asked to do this at inconvenient times. Having awareness between mac and iOS would be great and, hopefully all but eliminate the need to type in on the phone. It doesn’t, however, stop me being asked at inconvenient times (especially if someone could see my typing). Could 1Password allow skipping verification for a while?

For example:
- two weeks after last verification a banner shows in 1pw asking me to verify. I can do it at my convenience. After, say, another 2 weeks if I haven’t verified, then I am forced to as currently.
- And/or use notifications to prompt - particularly for people who rarely open the main app.

I’d also be interested to know why two weeks was chosen. Is there evidence that if the period is longer a significantly higher number of people forget their master password?