Require password reprompt like LastPass

tltltetd
tltltetd
Community Member

Hi! I've used LastPass for the past decade but am trying out 1Password to see if I could make the switch (since LastPass for Mac has become unbelievably buggy and their developers don't seem to care).

My biggest sticking point is perfectly laid out in a forum post here.

I'd reply to the forum discussion, but it's been closed. Besides what your staff has written in the post, do you offer any options for this second level of security? Although the staff member who wrote the response apparently had a difficult time understanding the use case, I live it every day, and it's not some pie-in-the-sky nice-to-have.

I work on an iMac at home with no roommates. I have no desire to type a master password in every time I want to be able to log into my usual websites; I like being able to wake up my computer and GO. I'm not worried about a burglar coming in and being able to, say, log into my Instagram account to post nefarious pictures. I also use a MacBook Air when I travel, an iPhone, and an iPad, all of which I use my password manager on with differing levels of security. I love being able to access the password manager on my iPhone with Face ID and iPad with Touch ID. It's all very convenient.

However, I keep extremely sensitive information like bank logins, email passwords, and social security numbers and credit card numbers for myself and friends in my password manager, and I don't want it so that just anybody who happened across a device where my password manager was open could click a few buttons and see all this extremely high-security information. Likewise, I wouldn't want said burglar to be able to open my bank account in a few clicks and start making transfers. I want my password manager to require a second level of scrutiny for these things. They're only about 10% of what's in my password manager, but they require a much higher level of security than the other 90%.

LastPass allows you to "require password reprompt" as shown here. That means that no matter how lax (i.e., for my iMac at home) or strict (i.e., for my iPhone) I want my security settings to be, I can always count on my master password being required whenever I try to access these high-security items.

Since you haven't implemented such a feature since the above-mentioned discussion in 2016, you're probably never going to, and I'm sure you wouldn't just for a couple wary LastPass exes. But I am wondering if you have an alternative notion or use case workflow of how 1Password could be creatively used to approximate that dual-security functionality that LastPass provides. As much as I've grown to despise LastPass, I can't feasibly make the switch to 1Password when it seemingly only offers a single level of security for all of my sites and information, as though my washed-up-musician-fan-club logins and lifetime-savings account logins don't deserve differing levels of security. :)

Any ideas are appreciated!


1Password Version: 7.3.1
Extension Version: 7.3.1
OS Version: macOS 10.14.5
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tltltetd: As I said previously, it's something we can consider. But a large part of the consideration is that we want to avoid "security theater" where 1Password is leading the user to believe there is some protection in place which does not exist. When you enter your Master Password, in order for that to allow you to access any of your data own the app, a secret equivalent to the Master Password needs to be kept in memory in order to be able to decrypt the data. At that point, prompting you again for your Master Password in any context (whether accessing a specific item or something else) would be dishonest, because 1Password doesn't need it: it already has the means to decrypt the data because you gave it that. Having separate passwords for different things would avoid that...but cause the problem of the user needing to remember and type multiple passwords, which is only the reason 1Password exists, to get away from that; but that also encourages people to use weaker passwords (since they now must remember and type more than one). One long, strong, unique password will be harder to guess than two of shorter length, because each additional random character/word increases the number of possibilities exponentially.

    But the other issue with a feature/use case like that is that the premise is that something can protect you from lax operational security. It ignores a key, fundamental layer of security, which is protecting access to the device itself. For example, if someone has access to your computer, because you left it unlocked, while it's good if your password manager is locked (though it sounds like you often leave it unlocked, but we'll ignore that for the sake of argument), as that protects the data at rest, you're effectively leaving the side door open, where the attacker could simply install malware to allow them to capture information later, when you unlock your password manager for them (or just make a copy of the encrypted data and let you give them the password to it later). That's not something any software can protect you from. The gate may be locked, but you're missing something else:

    At the end of the day, having a "single level of security" isn't a bad thing when it's good security; and any theoretical security benefit to having multiple levels is, in practice, negated by human behaviour -- as you've alluded to here yourself. So what we're focusing on for 1Password's security is:

    • When it appears to be secure (locking), it is.
    • The user has control over locking behaviour.
    • The user gets to choose the key to unlock their data (Master Password) and keep it to themself.

    I'm not going to be able to offer you quite what you're looking for here, and at the end of the day it's up to you as far as whether or not you take important precautions to protect your device in addition to your data, but there is a lot you can do with security settings in 1Password to customize how often you need to enter your Master Password. Use a good one, and that benefits all your data, not just a select few items you manually choose to protect: everything. Put another way, 1Password itself is the "higher level of security" you're looking for, not some specific feature. Our intention is not to have 1Password be lax with most of your data and afford solid security only to a small subset; it's to protect all of it.

  • tltltetd
    tltltetd
    Community Member

    Understood. Thanks anyway. :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tltltetd: Likewise, thanks for taking the time to share your perspective. While it's very intentional that 1Password works this way, because there are significant downsides to the specific approach you suggested, which we need to avoid, it may be that we can find other things that might help you in the future. Often it's best to start with a more general goal and look for the right way to get there, rather than just implementing a feature. That can lead to even better solutions which help even more people. Thank you for your feedback on this! We'll keep it in mind as we continue to develop 1Password. :)

  • tltltetd
    tltltetd
    Community Member

    I appreciate that. As a fellow developer, I've found myself on occasion explaining to a user why they shouldn't want what they want, only to have them beg me for it anyway.

    I've come to realize that different people use products for different reasons with different goals and values. I'm looking for a password manager that (a) makes my life easier and (b) improves my security, in that order. I'm not looking for a password manager that necessarily perfects my security, which I realize is your goal with 1Password, and I respect that.

    But like the fancy-restaurant customer who asks for salt (since the dish doesn't taste good to him) only to be berated by the chef for being a horrible person from an obviously lowly upbringing who wouldn't recognize great cooking if his lower-caste life depended on it and no he's not going to give me salt…

    I still would like salt.

    If that makes any sense. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tltltetd: I feel like we have have been watching the same 90s British sitcom... :crazy: I really, really hope I haven't made you feel that way. If I have, I can't tell you how sorry I am. It's only funny on TV. :blush:

    I guess what it comes down to, which I may have been communicating poorly, is that we need to make 1Password the best we can for a wide range and largest number who use it. Security is a process, so "perfect" does not exist; but, knowing that, it's still something we need to strive for because people expect 1Password to help them do the secure thing. If we implement the feature as requested, we end up with the opposite: the user unlocks 1Password, but thinks they're safe to wander away from the computer with it wide open, because their bank account is hidden under another password request. But in this proposed scenario/use case, there are fairly easy ways around that. So it's not just adding convenience, it's sacrificing security for it, but presenting it as, arguably, just as secure. We just can't get behind that.

    But I understand completely if you're more interested in using a password manager for convenience than security, even if it's a close call. Without convenience, it's a much tougher sell to get you to use it at all! So that's sort of the icing on the carrot cake (anyway, I suspect most people would not eat carrot cake without icing...) Or maybe whipped cream on yogurt is a better metaphor: yogurt is healthy, which can make it seem less appealing than, say, ice cream; but maybe adding whipped cream makes it more like a "dessert": ultimately you want the benefits of something healthy, but it's much more enjoyable with something to "sweeten" the deal. (Sorry, these are the best food metaphors I can come up with! :sweat: )

    The problem is that, in the back of the users' minds, whether they're actively thinking about it or not, there's the trust/assumption that 1Password will help them actually be more secure without just tricking them into thinking they are. It's an extreme example, but one could just slapped a fancy looking "lock" image on top of a database app, ask the user for a password, but use no actual security and store the data in plaintext. Fortunately there's enough focus on security in the media these days that something like that wouldn't last long without being found out, but even if it gets taken down, I'd still worry about those who used it right off the bat, entered sensitive information thinking it would be secure, and perhaps continue using it, not having heard the revelation.

    We don't always get it exactly right, but our goal is for the security state (for lack of a better term) of the user's data to be as clear as possible. That's why we go to so much trouble to openly document 1Password's security...but most users are not going to read all of that. So UI is the best tool we have overall to present security to the user, and we don't want to muddy that by having 1Password ask for a password that it doesn't need. On the surface, a lot of these may sound like academic security concerns. But ultimately the only way 1Password offers any security or convenience is if people can trust it and take it at face value. The last thing we want to do is put the user in the position of feeling like their data is locked down when it is not.

  • tltltetd
    tltltetd
    Community Member

    Alright, here's a fairer metaphor. Many steak restaurants refuse to cook a steak blue (extra-rare), even if the customer begs for it and explicitly accepts the risk, because the reputational risk to the restaurant exceeds its desire to satisfy a single customer. Better? :)

    While I do understand your arguments, perhaps better than you might think, I still take issue (going back to the alternative concept of providing the option of using a second password, which would achieve a similar increase in convenience) with the notion that all information deserves the same level of security or that users can't be trusted to craft and maintain two secure passwords, one for general use and one for high-security uses. If you can't trust a user to have a second good password, you shouldn't be trusting them to have a first good password. Saying that extending to the option of a second, high-security password (or differing passwords for different vaults) is tantamount to reopening the flood gates of passwords that a password manager is meant to eliminate in the first place is, to me, an irrational slippery-slope argument. I'd never suggest adding a third or fourth. Just one additional layer of security for extra-sensitive items. Is that really too much to ask?? Yes, I realize you're 1Password, not 2Passwords, but couldn't you be…I dunno…1Password²?? (Besides, 1²=1, so we're both happy…)

    I mean, at least make it seared rare so I get some of the yum...

  • Alright, here's a fairer metaphor. Many steak restaurants refuse to cook a steak blue (extra-rare), even if the customer begs for it and explicitly accepts the risk, because the reputational risk to the restaurant exceeds its desire to satisfy a single customer. Better? :)

    I think that is fair. :)

    I still would like salt.

    I understand your position but I don't see us heading in that direction. We don't offer salt here, and unless the landscape shifts significantly I don't see us offering salt in the future. I'd rather be up front about that so if it is an absolute requirement for you you're able to start looking for other solutions that do offer it.

    Ben

  • tltltetd
    tltltetd
    Community Member

    Understood. Thanks anyway.

  • You're very welcome. I hope you're able to find a solution that you're comfortable with and confident in, even if that ends up not being 1Password.

    Ben

  • ianmcn
    ianmcn
    Community Member

    Just found this thread looking for exactly the same feature, because I too am trying to make the switch from LP to 1password. I prefer nearly everything, but the lack of this feature is definitely causing me pause. It's interesting and helpful to read the 1password perspective, but I'm still not convinced it's an acceptable approach (for me). The password reprompt feature is a tool that can lessen the impact of someone gaining access to your vault. Of course that's a scenario any serious user will do everything to prevent, but it's good to have the option to add further protection to the credentials that REALLY matter (admin credentials, bank related, cryptocurrency etc...). 1password option seems to be: vault always unlocked (so only protected by device level authentication) or vault always locked (complex master password required for every use), I'm not sure I'm convinced that this binary choice presents the optimum security vs convenience mix, which ultimately is what I'm looking for in a password manager.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's something we'll continue to evaluate, but again, in order to get to that point, the Master Password was already needed to unlock 1Password. And if someone else has access to the machine after you've done that, us putting up an additional Master Password prompt isn't going to stop them if they really want to get your data. Some of it will already be in memory, as will a Master Password equivalent. So it is quite "binary" in the sense of locked versus unlocked, and I think it's important we don't give the user a false impression otherwise.

  • ianmcn
    ianmcn
    Community Member

    I take your point, but you seem to be thinking in the realm of the sophisticated and persistent hacker, not the chancer. Having someone gain access to my workstation who has the technical know how, time and skill to extract password data from memory or direct from the 1password database is an exceedingly unlikely possibility. Having someone sit at my workstation and explore/extract data from my unlocked 1password application is significantly more likely. It's in that scenario where a reprompt option offers genuinely useful extra protection.

    It's like how I secure my bike. Day to day it's kept secure in a garage, but at times I lock it up outside a supermarket for a short time. The lock could quite easily and quickly be cut by a determined thief with the right tools, and I certainly wouldn't use this security method all the time, but it allows me the convenience of cycling to the supermarket and it's significantly more secure than having it left outside and completely unlocked. It feels like 1password offers me the secure garage or unsecured leaning against a rail - but denies me the lock. And to be clear - my workstations are secure, exclusive to me and locked if I'm not there, I totally agree that workstation security is a large factor in keeping passwords and other sensitive data secure, but some data is so sensitive that it really needs that extra degree of security, without denying me the convenience of instant access to the less sensitive information I store in my password manager.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2019

    Having someone sit at my workstation and explore/extract data from my unlocked 1password application is significantly more likely.

    @ianmcn: I agree completely. But you're overlooking the fact that they can just record your keystrokes with direct access to the machine, if you've given them access to it.

    The bike is a good analogy, except that prompting for the Master Password when it isn't needed is more like leaving your bike unlocked, but with some paper drawing of a lock on it.

    I totally get that you're probably not someone we need to worry about with this, if you're actually securing your stuff in other ways when you leave you machine unattended. But most people, when presented with a feature that requests their password in more cases, will assume that it offers security properties it does not, and will behave accordingly. We can talk all day about how it might be okay for some people, understanding the limitations, etc., but the reality is that most people aren't going to give it that much thought; they'll simply think their data is more secure than it is as a result. With millions of users, even a small percentage misapprehending the security implications of such a feature is bad news; and we'd really be encouraging them to do so with a feature like this.

  • Tonetony
    Tonetony
    Community Member

    I actually agree with the argument that requiring your password an additional time to access certain items is reasonable, for the reasons others have given above.

    This wasn't an important enough feature to me that I'd have raised it, but feel like chiming in.

    For instance - if someone like ME knew or saw that someone used 1Password, or LastPass, or Dashlane, or any common password manager, and left their system unattended and unlocked, and their password manager unlocked, I could (if I were so inclined) easily look stuff up in their password manager in 2 seconds. But could I install malware? Nope. I don't have that level of skill. If I hit the roadblock of a password prompt? I'd be instantly defeated by the simple password prompt. That the data is actually unlocked already in memory - that's a problem if you are subject to a sophisticated attack, but is irrelevant to the casual snoop who wouldn't have the skills to retrieve it.

    So it's protection against untalented but opportunistic snoops.

    Reminds me of a couple of decades ago when I used to let people sit at my browser to check their email. I discovered that the first 2 things some people, friends, would do is check my bookmarks and the second thing they'd do is check my browser history. After observing that, I gave visitors access only to a guest account using a guest Wi-Fi network with local networking restrictions.

    For what it's worth, Dashlane has the same concept of optionally requiring the master password again to view or use a number of categories. It may very well suffer from the limitations you describe, applying a much thinner veneer of "security," but it definitely blocks the opportunistic layperson.

    The lack of this feature in 1Password is not a deal breaker for me, and it's not something I'd have brought up. But I have sympathy for those who would like the feature. The argument seems to be: it's not worth it to provide the extra veneer of password protection that would block an unsophisticated attack, since it would not deter more sophisticated attacks.

    Aren't most attacks unsophisticated? Few people are going full Ocean's Eleven.

    I've never had a serious compromise, but have seen plenty of intentional or accidental intrusions.

    BTW LastPass isn't the only pw manager having problems. Dashlane barely works at all with Safari 12. That's why I converted to 1Password.

  • Thanks for taking the time to share your thoughts on this subject, @Tonetony. We'll continue to evaluate how we can best help our customers avoid opportunistic attacks.

    Ben

  • tltltetd
    tltltetd
    Community Member

    I've unfortunately just had to set 1Password to almost never auto-lock. It's highly insecure, as now both hypothetical high-tech hackers and real-life low-tech passersby have complete access to my most sensitive information. It's far more insecure than I had with LastPass. But it's clear they're married to their pie-in-the-sky abstract philosophies and not budging on this issue, so it is what it is.

    Of course, if they really wanted to protect users from themselves, they'd force all users to always have to enter their passwords after five minutes of idle time without any option to relax that requirement. All it takes is for you to walk away from your computer for five minutes and have a ninja jump into your workspace and steal all your passwords. Sure, I'm not that worried about ninjas, but I'm not that worried about sophisticated hacking attempts either…who am I to decide my own level of security vs. convenience? The worse you're willing to make the user experience, the more ability you have to protect users from themselves, right?

    Yes, LastPass does have the benefit of giving users control over their own destinies and then warning them when they select a setting that significantly reduces their security, but then ultimately allowing the user to make that choice instead of dictating it to them.

    Still, I think I'm going to stick with 1Password given how buggy LastPass has become and how completely unresponsive their boneheaded developers are. One thing you can say about 1Password's developers: They may be nannies who don't trust us users to control our own destinies, but at least they provide a product that works and is carefully thought out. ;)

    I just hope they can fix the import process from LastPass soon (the slashes vs. backslashes between the two systems cause nested LastPass folders to come in as compound-name 1Password tags instead of nested tags) so I can start using 1Password. (I already reported it, so I know they're working on it.)

  • :+1: :)

    Ben

  • ianmcn
    ianmcn
    Community Member

    But you're overlooking the fact that they can just record your keystrokes with direct access to the machine, if you've given them access to it.

    Not really, again that's an example of a more sophisticated attack that would take some planning and require some knowledge and tools. I'm talking about an opportunist with no special knowledge - an unlocked 1password vault is open for the taking, credit cards, cryptocurrency keys, server admin credentials, anything that's stored there. A Lastpast vault gives you the tools to limit access to the most sensitive data under these kinds of circumstances.

    The bike is a good analogy, except that prompting for the Master Password when it isn't needed is more like leaving your bike unlocked, but with some paper drawing of a lock on it.

    No, it's not. It's exactly as I said - not at all secured against a determined thief with the correct tools, but almost totally secure against an opportunist without any tools. A paper drawing of a lock isn't security against anyone. This is an example of a security/convenience trade-off that I'm willing to take. Also, to say that you'd be prompting for the Master Password when it isn't needed is only accurate from a very high level perspective. In reality for nearly all users or attackers if it asks for the master password before giving access to something, then the master password is needed - they have no way of knowing if the vault itself is currently unencrypted in memory, nor how to access that data.

    For instance - if someone like ME knew or saw that someone used 1Password, or LastPass, or Dashlane, or any common password manager, and left their system unattended and unlocked, and their password manager unlocked, I could (if I were so inclined) easily look stuff up in their password manager in 2 seconds. But could I install malware? Nope. I don't have that level of skill. If I hit the roadblock of a password prompt? I'd be instantly defeated by the simple password prompt. That the data is actually unlocked already in memory - that's a problem if you are subject to a sophisticated attack, but is irrelevant to the casual snoop who wouldn't have the skills to retrieve it.

    This is exactly it. Thanks for putting it so well :+1:

  • tltltetd
    tltltetd
    Community Member

    Hey, we tried. If the chef refuses to give you the salt shaker, then bland food it is. 😆

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not going to link to them here, for obvious reasons, but USB keylogger shims are very cheap, discrete, and do not require privilege escalation to connect to a computer.

  • ianmcn
    ianmcn
    Community Member

    Sure. But they still require knowledge (1. that they exist, 2. how to get one, 3. How to use the logged data.) and planning, not the same as the far more likely threat of an opportunist. Also, I'm not sure why keyloggers are relevant to the conversation because a keylogger could reveal the master password which would then mean the status of your vault (locked/unlocked) is irrelevant, as is the existence of a reprompt feature. 2FA wouldn't prevent 1password vault access either if the device was already trusted. In fact the only thing that would help protect the vault from keyloggers would be an onscreen keyboard option for the vault (another Lastpass feature I don't see in 1password! :-) ).

    Honestly, I'm not trying to be awkward, 1password is a far better experience than LP in many ways, and there have been several security features I've noticed not present in LP, it's just a shame this particular one is missing - and I don't think any of the justifications for not including it ultimately make sense. Any way - I've made my case, and got the message that this is not likely to change, so is something I would have to sacrifice if I made the switch. Will make the final decision with that in mind.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Exactly. Someone with access to your machine doesn't need to worry about a "password reprompt" feature. Anyway, the threat of someone not "sophisticated" enough to use cheap, off-the-shelf tools to steal your data is why we offer a number of security settings in 1Password, so you can have it lock when not in use, even if you forget to do that yourself manually:

    All of those do exactly what they say, so it's security that users can rely on. But certainly if it's a dealbreaker for you that we don't offer additional features, even if they add no real security benefit, because you like them, that's not going to be something I can convince you of. Everyone has different preferences/priorities. Ours is making 1Password's actual security and apparent security line up, so that users can understand it. It isn't always possible to achieve that, as people have different expectations and understanding, but it's something we'll continue to strive for. :)

  • ianmcn
    ianmcn
    Community Member

    even if they add no real security benefit

    I get that you have your own preferences and priorities, but it is a little condescending to say this after multiple users have made a clear case for the opposite (a genuine security benefit against your everyday opportunist, while giving the convenience of leaving your vault unlocked for instant access to non-sensitive credentials, because let's face it - if you have a decent master password, unlocking is a PITA (as it should be!) ).

  • ag_ana
    ag_ana
    1Password Alumni

    We appreciate you taking the time to share your thoughts @ianmcn! It's good to discuss these things :)

  • tltltetd
    tltltetd
    Community Member

    I'd just like to put this out there, if only to simmer indefinitely in the minds of 1Password developers. There is a third way: scaring/shaming/admonishing users into compliance without forcing them. It's clear from your well-considered and thoughtfully (if slightly stiltedly) communicated diatribes above that you 1Password developers see absolutely no merit to our wistful, ignorant pleas.

    But imagine you did. Imagine you were willing to entertain the notion that your customers had differing values and priorities from those of your immediate tech-world lives…but you still weren't comfortable indulging them because of the possibility that somewhere, sometime, some hapless user might unknowingly shoot themself in the foot and blame you for it.

    Enter the beauty of the "do this at your own risk, you idiot" approach.

    Instead of nanny-style dictating to us what's good for us, give us the ability to decide for ourselves—with full warning as to (what you think are) the potential consequences. And keep in mind that some of us poor souls use computers that (gasp!) don't have Touch ID, like iMacs. We have to type in the stupid-complicated master passwords time after time after time just to make your product go.

    I know this is a struggle to accept that what I say might be true, but at least consider the possibility that we're not as dumb or careless as you think we are, we don't all require the exact same product with the exact same "features," and—to paraphrase a million musicians—you don't know me, so don't try to own me. ;)

    And good luck getting in my apartment to install that cheap USB keylogger shim.

  • tltltetd
    tltltetd
    Community Member

    (1Password team members be like…)

  • There is always a fine balance that needs to be maintained with software like 1Password. We're in a position where millions of customers hold us responsible for the security of the data, while also providing a level of convenience. The is a need to continuously monitor the landscape and consider how to best find that balance. We'll continue to look at the ways in which we can improve convenience without having a significantly negative impact on security. That said we generally don't make promises about upcoming changes until they're ready to be released and we don't operate on a voting system, so I couldn't comment further as to what specifics we may see in this regard in the future. We'll continue to look at how 1Password customers are using 1Password, when they choose to share that information with us (such as in posts like this) and use that information to guide us toward the best solutions. :)

    Thanks all for the input. We do truly appreciate it, and will take it under advisement as we have discussions internally.

    Ben

  • RyckyB
    RyckyB
    Community Member

    Looks like there are plenty of people who want the same thing, which is not being offered. I wonder how many people who want this feature are reading the posts and silently walking away from 1password to find a different restaurant who is willing to stock 'salt' to satisfy customers who wish to use it rather than refusing and insisting salt is bad for them. As requested by the orginator of this post, my number one priority is to make my life easier. My second priority is to improve security. So far 1password has complicated my life online. I would actually prefer the option of greater convenience for most of my everyday non-critical logins even if it meant those were less secure.

  • tltltetd
    tltltetd
    Community Member

    Hear hear! I'd still love having the salt. :)

  • the_dear_leader
    the_dear_leader
    Community Member

    Many philosophers here.
    You could just have said "No, we haven't got such feature".
    Or, maybe: "Good idea, we'll be working at it".

This discussion has been closed.