Please reconsider your decision to requires us to type our 1Password account password every 2 weeks on iOS/iPadOS. I'm fine with typing that password every 2 weeks on my Mac and/or my PC (both with a physical keyboard) to make sure I don't forget it. Typing my strong password with a touch keyboard is a major PITA! In fact, I'm afraid this will turn out to be contra-productive, similar to big IT organizations requiring a new password every 90 days, resulting in people using less strong passwords... 1Password Version: 8 (all future versions) OS Version: iOS/iPadOS

+1. Requiring password on mobile devices every two weeks is quite a pain. And yeah, wordlist passwords make things easier, but they're also long, so you have to be super precise on a phone keyboard. The times when I have to pull up 1Password on my phone are often times where I'm in a rush and juggling other things (think: checkout counter while managing kids). Some alternatives I'd love for the team to consider: * As suggested by XIII, don't require typing master password if you use 1pwd on another platform where you have to type it occasionally anyway (assuming 1password knows what platforms you log in with) * Take the approach Signal uses with their iOS app: they don't block you from using the app, but they prompt you like this occasionally (frequently at first, but at progressively longer intervals each time you enter it). You could do this anytime someone changes their master password: * Or just go back to letting users self-select to only type their master password never/after device restart.

In the old app, there's a setting for this under "Settings" > "Advanced" > "Security" > "Require master password..." where you can set it to to wide range of options with the most lenient option being "After reboot of the device". Considering that you now can configure 1Password 8 on Windows to use the TPM module to practically never have to type your master password again, even after reboots and updates, I'm guessing that the setting mentioned earlier will make a return?

Hi XIII , We have to balance the need for convenience with the reality that if we extend the limit some customers will not be able to remember their passwords and eventually be locked out of their data if they remove fingerprint information, get a new phone, etc. What we do recommend is choosing a password that is strong but yet not too difficult to type on a mobile device. A wordlist password is a good place to start. Regards, Kevin

Please show some love to users that run your Apps on multiple platforms. If I already type my account password on macOS (and Windows) regularly, typing it on iOS/iPadOS has hardly any additional value, but it is a major PITA on those specific platforms. In fact, I already type it every time in Windows (no Windows Hello on my very old PC). My current workaround: keep v7 installed, so I can copy the account password from there and paste it in v8…

I would agree that the default behaviour is a great default for most people, however it feels like a big regression to me that the advanced setting to "Require master password" (and the possibility to set it to "After device reboot" or "Never") seems to be removed. As an advanced user I have (a few) strategies to make sure I never forget my 1password credentials, and have made an informed decision to rely on the face id for my phone security as part of that set of strategies. I would very much like to possibility to keep having the great user experience I've enjoyed with 1Password since biometric authentication was added to the phones, going back to fumbling with passwords - always at the most inconvenient time - is not something I'm looking forward to. If you intend to ship 1password v8 with this regression I would hope you investigated other ways to make the user experience better, for an example entering the password on one of my devices could bump the timer on all other devices. Though I suspect just allowing me to store the password indefinitely in the iOS Keychain is much simpler to implement and less error-prone.

1Password 8: account password required every 2 weeks?

89 Replies

Kakkoister2
Super Contributor
4 years ago
@philippemercure Have you considered ever making your Account Password a memorable Password from the generator? That's how I have mine set up, so much easier to remember and to type.
Former Member
4 years ago
I would also like to had my voice to this. I have a master password of more than 50 characters, more then half of it that I don’t even know by hearts, since it is store in a Yubikey, the rest is in my head. I kinda consider my master password pretty strong. I also have a physical copy of my master password in the even of my death store somewhere that I could use if I wouldn’t remember my master password for xyz reason. For the sake of people already using strong passwords with 1Password, couldn’t you allow password above a certain length to not require the 2 week verification. If you think that 50 is not enough, pump it to 100 characters, I wouldn’t mind having a longer password. But I mind having the need to type my master password every 2 weeks because of people that are not able to remember their master password correctly. Thanks a lot. Philippe.
Former Member
4 years ago
Thank you for adding your perspective to the thread. I also want to add a brief update that i believe others have mentioned as a suboptimal consequence of the "2 week" policy. I have had to change my master password to a easier-to-remember phrase as the insistence of my wife. Of course, that makes it less secure.
Former Member
4 years ago
Hi Folks!
Thanks Backspaze for alerting me to this thread! There's seemingly a lot going on here, but am I to understand that next release of 1Password on iOS is going to force users to re-enter their master password every two weeks regardless of any other setting?

If that is the case, that would be (to keep it family friendly and put mildly) sub-optimal. Folks have raised significant points as to why that's just not a good idea here and in the https://1password.community/discussion/127160/never-option-removed-from-require-master-password. It would be a bizarre decision that is neither 'balanced' nor rooted in any scientific evidence of efficacy to achieve the stated 'users can't remember their passwords' goal. Moreover, and this is what is most troubling, it's making everyone more vulnerable and less secure.

To keep this solutions orientated though, I'll echo support for an 'enter MP once and it applies to all systems' type of scheme. Entering the password on a computer, even as unnecessary as it is there too if you've got biometrics, is far more preferable than trying to type complex passwords on a phone.

Hope they seriously reconsider this entire movement. Not sure even casual users are going to be okay with this. They do seem like they listen to folks every now and then, so maybe they'll see the pushback and adjust course.
[Note: to the support folks monitoring these threads; no anger directed at you all. You've got tough jobs, so thanks for hearing folks out and passing along feedback to the developers.]
DenalB
Super Contributor
4 years ago
Hi @tprattfl !

The 2 week requirement is a deal breaker for my wife and she wants to go back to the other password keeper. She wants a password keeper to "just work" and not bug her for the master password.
Same here! For me, it is okay to type in the master password. But my wife is using 1Password maybe only once a month. That means that she always has to enter the master password. Every time she has to enter it, I have to help her out because she is not remembering it. That's a pain for her and me... 😕
Former Member
4 years ago
I want to add my voice to this discussion. We are new to 1Password coming from a competitor. The 2 week requirement is a deal breaker for my wife and she wants to go back to the other password keeper. She wants a password keeper to "just work" and not bug her for the master password. Please let us know if this is going to change so we can decide whether to stay or go. Thanks.
Jack_P_1P
1Password Team
4 years ago
Hi @acarling:

Thanks for your additional thoughts on that!

Jack
Former Member
4 years ago
Jack_P_1P

Thanks for your response, I just had a small additional thought about the ”2 weeks on any device” structure.

If you did that it would make sense to slightly tweak the timing based on type of device, to make cross-platform users most likely to have to enter their password on device with easier text input.

Suggestion:
Expire login on mac/pc/web after 14 days of no password entry on any platform.
Expire login on mobile/ipad after 17 days of no password entry on any platform.

(+3 days is intended to account for a full weekend of no computer use)
Jack_P_1P
1Password Team
4 years ago
Hi Backspaze:

Thanks for following up! To clarify, even with TPM support enabled for 1Password 8 for Windows (creating a similar situation to "never"), after 2 weeks, you'll still be prompted to enter your account password. The same situation would apply if you hadn't restarted your device, or quit 1Password for 2 weeks if TPM support wasn't in use.

I think the ideal here would be 2 weeks after you entered your account password on any device, not just the device you're currently using. I'm not in a position to make promises here, but it is definitely something we're aware of.

I'll share your thoughts about "after device restart" being a selectable option for 1Password 8 for iOS as well.

Jack
Backspaze
Dedicated Contributor
4 years ago
DenalB thanks for bringing that up, as I wasn't aware of that thread. The discussion in that thread seems to have died out since the middle of March, but I noticed that @keinanesq had already mentioned some of the points I brought up in this thread as well, with the main inconsistent thin in all of this being the removal of the "never" option on iOS while at the same time adding the option on Windows. This inconsistency hasn't been addressed by AgileBits as far as I'm aware. Maybe @ag_kevin Jack_P_1P 1P_Ben or someone else from AgileBits could elaborate on this?

I might add that I don't need or want the "never" option, hence why I didn't even notice the removal of that option on iOS. I'm only interested in bringing back the option "after reboot" in 1Password 8 on iOS, as that was my preferred setting, but I understand the other use cases for those that want the "never" option as well. As long as it's implemented as an option tucked away in the settings, with (multiple) warnings when choosing the option, I don't see the problem. Hiding the setting somewhere deep down in a menu and having the warnings when enabling it should be enough to scare of the users who'll probably be most likely to forget their password. And if you do forget it you have to rely on the emergency kit and/or other family organizer/administrator for help with gaining access again.

Forum Discussion

1Password 8: account password required every 2 weeks?

89 Replies

Featured discussions

October at 1Password: Defining new standards, empowering communities, and securing the future

Recent discussions

Exported CSV missing notes is this an export setting or a bug?

App main window not showing in GNOME

Native Password AutoFill Extension macOS

Editing tags on multiple items

Odd one.. passcode not matching preview?