Please reconsider your decision to requires us to type our 1Password account password every 2 weeks on iOS/iPadOS. I'm fine with typing that password every 2 weeks on my Mac and/or my PC (both with a physical keyboard) to make sure I don't forget it. Typing my strong password with a touch keyboard is a major PITA! In fact, I'm afraid this will turn out to be contra-productive, similar to big IT organizations requiring a new password every 90 days, resulting in people using less strong passwords... 1Password Version: 8 (all future versions) OS Version: iOS/iPadOS

+1. Requiring password on mobile devices every two weeks is quite a pain. And yeah, wordlist passwords make things easier, but they're also long, so you have to be super precise on a phone keyboard. The times when I have to pull up 1Password on my phone are often times where I'm in a rush and juggling other things (think: checkout counter while managing kids). Some alternatives I'd love for the team to consider: * As suggested by XIII, don't require typing master password if you use 1pwd on another platform where you have to type it occasionally anyway (assuming 1password knows what platforms you log in with) * Take the approach Signal uses with their iOS app: they don't block you from using the app, but they prompt you like this occasionally (frequently at first, but at progressively longer intervals each time you enter it). You could do this anytime someone changes their master password: * Or just go back to letting users self-select to only type their master password never/after device restart.

In the old app, there's a setting for this under "Settings" > "Advanced" > "Security" > "Require master password..." where you can set it to to wide range of options with the most lenient option being "After reboot of the device". Considering that you now can configure 1Password 8 on Windows to use the TPM module to practically never have to type your master password again, even after reboots and updates, I'm guessing that the setting mentioned earlier will make a return?

Hi XIII , We have to balance the need for convenience with the reality that if we extend the limit some customers will not be able to remember their passwords and eventually be locked out of their data if they remove fingerprint information, get a new phone, etc. What we do recommend is choosing a password that is strong but yet not too difficult to type on a mobile device. A wordlist password is a good place to start. Regards, Kevin

Please show some love to users that run your Apps on multiple platforms. If I already type my account password on macOS (and Windows) regularly, typing it on iOS/iPadOS has hardly any additional value, but it is a major PITA on those specific platforms. In fact, I already type it every time in Windows (no Windows Hello on my very old PC). My current workaround: keep v7 installed, so I can copy the account password from there and paste it in v8…

I would agree that the default behaviour is a great default for most people, however it feels like a big regression to me that the advanced setting to "Require master password" (and the possibility to set it to "After device reboot" or "Never") seems to be removed. As an advanced user I have (a few) strategies to make sure I never forget my 1password credentials, and have made an informed decision to rely on the face id for my phone security as part of that set of strategies. I would very much like to possibility to keep having the great user experience I've enjoyed with 1Password since biometric authentication was added to the phones, going back to fumbling with passwords - always at the most inconvenient time - is not something I'm looking forward to. If you intend to ship 1password v8 with this regression I would hope you investigated other ways to make the user experience better, for an example entering the password on one of my devices could bump the timer on all other devices. Though I suspect just allowing me to store the password indefinitely in the iOS Keychain is much simpler to implement and less error-prone.

1Password 8: account password required every 2 weeks?

89 Replies

Former Member
4 years ago
1P_Ben
I really don't want to be forced to ever type my master password. I can use biometrics or yubikey but please don't force me to type the master password every 2/3 weeks. I like the idea of adding this as a hidden feature under some developer options for power users if you don't want to make it available for everyone.

I just don't get the reason you want to force users to type their passwords. When I created an account I was instructed by 1Password that I should make a copy or print the password and store it in a safe place. I've generated secure, long master password because it's the most important password after all. If someone has access to it, they have access to all my passwords. I don't want to change my master password to something sort/easy so that I can type it quickly, especially on mobile.

Btw have you considered a case where the 1Password user wants to login onto some website and they are forced to enter their master password in a place like a bus or other place where someone may be watching what you're typing? A thief can just see the master password that way, then stole the device and access whatever they want.

It seems like LastPass found a better, more convenient way for handling this:
Kakkoister2
Super Contributor
4 years ago
skatch You're setup is very similar to mine, I agree if I'm typing it out on my computer constantly, would prefer less on mobile with the Pin option.

1P_Ben thanks for keeping us updated on this!
1P_Ben
1Password Team
4 years ago
Fingers crossed. 🤞 😃

Ben
skatch
Frequent Contributor
4 years ago

Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop.

This seems like a good idea! 🙂
DenalB
Super Contributor
4 years ago
1P_Ben
Thanks for your suggestion. I think it will help a lot, although it's not that perfect as it sounds. But it is better than typing the password on every device after 2 weeks... 👍

EDIT:

but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop
Sounds much much better. 😘
1P_Ben
1Password Team
4 years ago
Backspaze

Thanks for that. I don't know that "after reboot" is completely off the table, but based on the current discussion I think this proposal is more likely to be the one to run the gauntlet.

skatch

Great idea. One of our developers had thoughts along the same lines. Their suggestion was that the timer reset be synced, but that we set the timeout to 3 weeks on mobile and 2 weeks on desktop. This would make it much more likely that the prompt for MP hits your desktop devices vs mobile devices, particularly for those such as yourself that are regularly using a desktop.

Ben
skatch
Frequent Contributor
4 years ago
1P_Ben thanks for following up and pushing for this. My opinion is that syncing the 2 week password entry period across devices would be a significant improvement over each device having an independent 2 week expiration timer. However it would still be a pain if the 2 weeks ended when I'm using my iPhone, and avoidable in my case since I use 1Password on my computer all the time. If possible, I'd rather see a system that takes into account the device type, and prioritizes password entry on physical keyboard-based devices.

This is my situation:
- I use 1Password on 2 computers every single day. I don't mind having to type my password here occasionally.
- I use 1Password on my phone a couple times a week. I never want to manually type my password here for the reasons already stated (allowing for rare circumstances – e.g. my device's biometric enrollment has changed).

I know that what I'm suggesting is more complicated than what you've proposed (needs thought around a lot of different device type combos & usage frequencies). But if the goal is to make the use of a password manager frictionless, I feel that taking into account where password entry is requested is important. However, if this level of nuance isn't possible, then your "sync 2 week entry period across devices" proposal would at least do a lot to reduce the pain of the currently implemented biometric timeout.
Backspaze
Dedicated Contributor
4 years ago
1P_Ben I'll quote myself below from https://1password.community/discussion/comment/636642/#Comment_636642, but if that request is out of the question, then sure, I'm all for syncing unlock time. Anything is better than the current state.

I'm only interested in bringing back the option "after reboot" in 1Password 8 on iOS, as that was my preferred setting, but I understand the other use cases for those that want the "never" option as well. As long as it's implemented as an option tucked away in the settings, with (multiple) warnings when choosing the option, I don't see the problem. Hiding the setting somewhere deep down in a menu and having the warnings when enabling it should be enough to scare of the users who'll probably be most likely to forget their password.
1P_Ben
1Password Team
4 years ago
Awesome. Thanks @volcom45. It is something I'm pushing for us to try out, if feasible. 🤞

Ben
Former Member
4 years ago
1P_Ben This would be huge for me! I'd love that idea entirely. I hope that you guys are able to put something like that in place. :)

Forum Discussion

1Password 8: account password required every 2 weeks?

89 Replies

Featured discussions

October at 1Password: Defining new standards, empowering communities, and securing the future

Recent discussions

Please consider integrating 1Password as a Credential Provider on macOS.

Re: Safari Extension won't fill if too many tabs open

Universal Autofill + Chrome extension not working with latest Chrome on macOS (142.0.7444.60)

1Password crashing on first unlock with browser extension

Pixel 10 Pro Issues