Feature Request: semi-automatic password rotation

The recent incident with LinkedIn has shown how valuable 1Password can be: i) it ensures that it is possible to have a distinct password for each web site I use, ii) check for password re-use. Others were not so lucky - they have one password for everything (because remembering 300 passwords is impossible) and don't even know where they have accounts.

But where 1Password let's me down and where I think a significant improvement can be made, is if 1Password were to help me manage password expiration and rotation.

To date, 1Password already knows when a password was last changed. But I didn't find a feature whereby it would complain if the password became too old.

First Feature Request: I would like to have a little notification when 1Password determines that a password has not been changed based on a user defined time period.

1Password is today able to make HTTP requests to fetch a badge/label picture for a credential. This is helpful, but I would like to see 1Password use it's HTTP library for something more sophisticated.

Second Feature Request: I would like 1Password to be able to change a password on my behalf. Meaning, either using a manual prompt (i.e. a button) or automatically based on a schedule (see First Feature Request above), go and change a password on a given site automatically.

If you like, this would elevate 1Password to a type of desktop Password Vault technology, somewhat like a miniature CyberArk, and keep the lead innovation lead.

Most users will likely not be typing in their credentials in websites anymore and simply insert them with the help of browser plugins: with both Feature Requests above strong password rotation would become transparent to the user.

Comments

  • khad
    khad
    1Password Alumni
    Welcome to the forums, lkremkow. We were just discussing this earlier today.

    The short answer is that if you are using strong, unique passwords on each site there is no need to "rotate" or change your passwords on a regular schedule.

    Obviously you want to change your website passwords if you know (or suspect) them to be compromised, but there is no benefit to changing them on a schedule. An attacker will always get your current password (if they get any at all) no matter how many times you changed it in the past year.

    It would be like regularly tearing down your house and building a new one every few months to get ready for a tornado to hit. Only the house that exists when the tornado hits gets the damage and you still have to rebuild it. The rest of the time you spent tearing down and rebuilding the house before the tornado hit was just a waste of time and money. ;)

    As for your second request, it would be great if this were possible, but every website handles password change request differently. There is no standard so it would be nearly impossible to make the feature work with more than a handful of popular sites.

    These are good things to think about and we really appreciate your feedback! Please let me know if you have any other suggestions or questions.

    Cheers,
This discussion has been closed.