1Password 8: account password required every 2 weeks?

There was a discussion in February already, when v7.9.4 was released, because the "never option" was removed from the "Require Master Password" setting.

https://1password.community/discussion/127160/never-option-removed-from-require-master-password

Strange that in v8, the setting "Require Master Password" is completely removed now... 😮😕🤔

Hi everyone,

Thanks for posting your different reasons and use cases. I'll pass this along for discussion and see if we can change this in the future. If it comes down to an inconvenience vs. locking many people out of their data, we'll usually side with the latter, but the compromises discussed here may turn out to be beneficial for everyone. I can't promise this will come, but I can promise it'll be discussed. Synchronizing when a user last typed their password and taking different authentication methods on different platforms does complicate it a bit, but it's worth discussing and seeing what we can do.

Thanks everyone,
Kevin

As skatch mentioned, Signal's approach could be an option, but then again, Signal also lets you disable the reminders or disable the PIN code feature entirely. Sure it's "just a messaging app" and might not be as important as loosing access to your password manager, but the key thing here is that they are providing the option for the users to configure the app as they want, something that 1Password did in version 7 as well.

And as skatch also mentioned, the password prompt have a tendency to pop when you least need it, like when you're in a hurry. In 1Password 7 I have it configured to only ask for the password after a reboot since it's the closest you get to "never". But I've also chosen that option since then I'm in control of when it happens, because the only time I reboot is when installing an iOS update, which I do as soon as possible but only when it's convenient for me.

I'd like to repeat what I wrote in my previous comment; considering that you now can configure 1Password on Windows to never ask for the password again by using the TPM feature, It would seem logical that you at least add the same setting and options in 1Password 8 for iOS as they were in 1Password 7. I don't mind if you hide the setting somewhere in a sub menu deep in the bowels of settings, as long as the setting is there for those who want it. You could even add a prompt when you configure the setting, similar to when you perform a factory reset of the phone, where it asks for confirmation 1-2 times, with a clear message/warning about how crucial it is to remember the master password and that you can't provide support if you manage to lock yourself out.

+1 for myself also of adding back the pin option, instead of the account password all the time, which I already type out on Mac regularly.

I would agree that the default behaviour is a great default for most people, however it feels like a big regression to me that the advanced setting to "Require master password" (and the possibility to set it to "After device reboot" or "Never") seems to be removed.

As an advanced user I have (a few) strategies to make sure I never forget my 1password credentials, and have made an informed decision to rely on the face id for my phone security as part of that set of strategies.

I would very much like to possibility to keep having the great user experience I've enjoyed with 1Password since biometric authentication was added to the phones, going back to fumbling with passwords - always at the most inconvenient time - is not something I'm looking forward to.

If you intend to ship 1password v8 with this regression I would hope you investigated other ways to make the user experience better, for an example entering the password on one of my devices could bump the timer on all other devices. Though I suspect just allowing me to store the password indefinitely in the iOS Keychain is much simpler to implement and less error-prone.

+1. Requiring password on mobile devices every two weeks is quite a pain. And yeah, wordlist passwords make things easier, but they're also long, so you have to be super precise on a phone keyboard.

The times when I have to pull up 1Password on my phone are often times where I'm in a rush and juggling other things (think: checkout counter while managing kids).

Some alternatives I'd love for the team to consider:
* As suggested by XIII, don't require typing master password if you use 1pwd on another platform where you have to type it occasionally anyway (assuming 1password knows what platforms you log in with)
* Take the approach Signal uses with their iOS app: they don't block you from using the app, but they prompt you like this occasionally (frequently at first, but at progressively longer intervals each time you enter it). You could do this anytime someone changes their master password:

* Or just go back to letting users self-select to only type their master password never/after device restart.

Please show some love to users that run your Apps on multiple platforms. If I already type my account password on macOS (and Windows) regularly, typing it on iOS/iPadOS has hardly any additional value, but it is a major PITA on those specific platforms.

In fact, I already type it every time in Windows (no Windows Hello on my very old PC).

My current workaround: keep v7 installed, so I can copy the account password from there and paste it in v8…

Hi XIII ,

We have to balance the need for convenience with the reality that if we extend the limit some customers will not be able to remember their passwords and eventually be locked out of their data if they remove fingerprint information, get a new phone, etc. What we do recommend is choosing a password that is strong but yet not too difficult to type on a mobile device. A wordlist password is a good place to start.

Regards,
Kevin

In the old app, there's a setting for this under "Settings" > "Advanced" > "Security" > "Require master password..." where you can set it to to wide range of options with the most lenient option being "After reboot of the device". Considering that you now can configure 1Password 8 on Windows to use the TPM module to practically never have to type your master password again, even after reboots and updates, I'm guessing that the setting mentioned earlier will make a return?