Feature Request: Automate password changes [under consideration]

Shadow
Shadow
Community Member
edited December 2014 in Mac

I love the new feature Dashlane just released. Any chance Agilebits will be releasing a similar feature?

«1

Comments

  • Mc128k
    Mc128k
    Community Member
    edited September 2014

    Hi all
    I am a regular user of 1Password and I love each feature. The app saved every possible login info I ever created, tags and folders are very useful, icons enhance a lot the user experience.

    Then I discovered the watchtower. It tells me that dozens of site logins must be changed. And changing passwords on all these sites is just requiring a lot of work for a little change (or moreover, future issues because devices have to learn new passwords and so on...).
    It would be a perfect companion to the Watchtower to have a tool that automatically changes passwords for most common sites.

    How to make it work? I find it relatively simple:

    • Create a database of supported web domains
      • Each domain has a custom password change procedure or API, saved by version using some kind of signature (see if the page changes, if buttons are the same...)
      • 1Password changes the password automatically using some webpage scripting technique
      • Then it checks for incoming mail (eventually) using the default mail app

    This way even users with a minimal scripting knowledge could sent their site's procedure (API maybe) to agilebits, and have them approved to the sites database.

    And this would be awesome. 1Password would be the first to implement this feature.

    What do you think about it?

  • Hi @Mc128k‌,

    It's a fantastic idea, and we've certainly had thoughts about it, but it is a very complex thing to pull off. Change password forms are not executed as consistently as login, address, and credit card forms. There'd have to be custom code for nearly every site, and that is unfortunately not very scalable. In other words, there's a reason this hasn't been done by anyone yet.

    That said, technology is fast-paced and things are always changing. Things could change in this regard and make it easier to implement. We never say never to awesome ideas.

  • bcbrock
    bcbrock
    Community Member

    I just saw this feature as well, and am hoping similar functionality could be implemented for 1Password.

    https://www.dashlane.com/password-changer-beta

  • asbjornu
    asbjornu
    Community Member

    It would be awesome if 1Password could offer a service (not necessarily for free) that changed the password for given services (Google, Facbeook, Yahoo, etc.) automatically. This would save enormous amounts of time and would make it much easier to act on the "Security Audits" that 1Password currently performs, like "Weak Passwords", "Watchtower" and "3+ years old".

    Dashlane has an automatic password changer, so it's obvious that this is possible to implement. The question is just when 1Password will offer something similar?

  • Stephen_C
    Stephen_C
    Community Member
    edited December 2014

    If something like that meant AgileBits would be required to have—and perhaps to hold—details of some of the passwords in my vault I'd much prefer it not to happen. :) Maybe there's some smarter way to deal with the issue which would not involve that.

    Stephen

  • FolsomRider
    FolsomRider
    Community Member

    @Stephen_C‌ — what details would 1Password have to hold in your vault to enable an automatic password change such as what Dashlane has just announced? Frankly 1Password already has some pretty private information in the vaults — passwords, credit card data, meta data about items, etc. I'm not sure what you can be thinking of.

  • FolsomRider
    FolsomRider
    Community Member

    This would be extremely useful.

  • Stephen_C
    Stephen_C
    Community Member

    Frankly 1Password already has some pretty private information in the vaults — passwords, credit card data, meta data about items, etc. I'm not sure what you can be thinking of.

    That's the whole point: the data is held in the vault on my machines in my control. Nothing is held by AgileBits. I would not like to use any password manager where the software developer holds any of the information I hold within his product. In order for AgileBits "automatically" to change my Google password (which is what the original poster talks about), for example, surely it would have to know:

    1. that I have an Google password;
    2. what that Google password is;
    3. where to store the new Google password in my vault once the old one is changed "automatically".

    Perhaps I have misunderstood what the original poster means by "automatically".

    Stephen

  • MrC
    MrC
    Volunteer Moderator
    edited December 2014

    I suspect that Dashlane will create per-site rules housed on their servers to help guide the auto-change process. This is going to require a fair amount of person-power to maintain these per-site rules, and sites change their logins fairly often.

    I also suspect that only the top sites will be implemented initially, and others will come over time (similar to AgileBits' rich icons). I very much doubt users will be able to change all of their logins if they have many lesser-known login items. However, just handling the common sites could be a big help for many cases.

    I do wonder about the security aspect.

    Edit: as I suspected - there are only 71 sites supported, despite Dashlane claiming "automatically changes your passwords on all your favorite websites". Apparently they get to redefine all and what constitutes your favorites.

  • Megan
    Megan
    1Password Alumni

    Hi everyone,

    Thanks so much for letting us know that you're interested in a feature like this! We've heard this request a few times since that article was published, and we're certainly looking into it. :)

  • Plato
    Plato
    Community Member

    Depending on how it works, I might be 100% opposed to it. It's fairly easy to change passwords with 1P. The fact that I control when it happens is paramount to me. If I were to die unexpectedly, my wife could conceivably go through absolute hell tracking down our money. To cover all bases, my S.O.P. is to update passwords periodically and, upon updating, print out everything and put the printout in our safety deposit box. I don't want to have to run to the safety deposit box every day because of automatic PW changes.

  • Stephen_C
    Stephen_C
    Community Member

    @pomme4moi‌ @Plato‌ I have merged your new thread into an existing one on the same subject.

    Stephen

  • kga1978
    kga1978
    Community Member

    With both LastPass and Dashlane having this feature, we definitely need it in 1Password, hands down ;-).

    In fact, this has been by far one of my most wanted features for a while.

  • wlmorin55
    wlmorin55
    Community Member

    I recently ran across a company that claims to offer automatic password changes. They have a few big name web sites that have signed on to include Apple, Amazon and Dropbox. They also claim to be able to handle two-step authentication as well. This would be a nice feature add to 1Password if possible.

  • ToBeFrank
    ToBeFrank
    Community Member

    If I were to die unexpectedly, my wife could conceivably go through absolute hell tracking down our money. To cover all bases, my S.O.P. is to update passwords periodically and, upon updating, print out everything and put the printout in our safety deposit box. I don't want to have to run to the safety deposit box every day because of automatic PW changes.

    Or you could store the 1Password master password in your safety deposit box.

  • Plato
    Plato
    Community Member
    edited December 2014

    @ToBeFrank‌

    I did both. Our Safety Deposit Box contains both the Master Password AND the printout that I mentioned previously. Part of my concern is my wife's difficulty with computers. She flat out doesn't want to learn new things (like CMD-backslash). She wants computers to continue to work the same way forever. I actually mimicked the OS-9 activity window (or whatever in heck it was called) for her login and it's still there!

    Another benefit to doing it this way is in case we're both gone and our sons need to access our finances from their own computers.

  • [Deleted User]
    [Deleted User]
    Community Member

    I am opposed to this feature. I do not want passwords stored on any computer outside of my control. Once password information is stored on a third party server, the government and possibly other third parties can get access to the information. they can get access to enough information as it is. I am not being paranoid, I have use cloud services for other items like calendars, contacts (minimum information) notes, todo's bookmarks. Therefore, if this should become a feature, it should be made optional, like the sync options (iCloud, Dropbox, etc). My two cents.

  • Plato
    Plato
    Community Member

    Again, I'm opposed to the very existence of this "feature" as it will reduce my security.

  • asbjornu
    asbjornu
    Community Member
    edited December 2014

    @Plato‌, why does it have to reduce your security? It depends on how it's implemented of course, but firstly I would never think AgileBits would implement something that would compromise the security of your passwords or the vault they are stored in. Secondly, the existence of this feature does not mean it's something you have to use. I presume the feature would be 100% optional and something you would have to turn on. Thirdly, why do you assume the feature needs to work without your consent or control?

    The most important bit about the feature is making it much easier to change passwords; the operation itself can still be initiated by you. Imagine a "Change this password" button, that when clicked, goes out to the given site, changes the password and stores it in your vault. All without leaving any more data anywhere (or perhaps even less) than you would doing the exact same thing in a web browser. The functionality can be done all within the 1Password app. There is nothing that has to be stored on a server anywhere.

    To expand on this, there's a lot of features you could imagine built on top of this, like an 100% automated "background job" of changing passwords for every site every month, but again; the existence of these features does not compromise the security of your vault.

    @Steve_H‌, there is nothing about this feature that requires anything to be stored anywhere else than today. The password change can be done by the 1Password app, it does not have to be done by a server.

  • Stephen_C
    Stephen_C
    Community Member

    Please see this thread.

    Stephen

  • Plato
    Plato
    Community Member

    @asbjornu‌

    _...firstly I would never think AgileBits would implement something that would compromise the security of your passwords or the vault they are stored in. _
    Is that absolute total fact or merely your thinking?

    Secondly, the existence of this feature does not mean it's something you have to use. I presume the feature would be 100% optional and something you would have to turn on.
    Are you sure?

    Thirdly, why do you assume the feature needs to work without your consent or control?
    automatic |ˌôtəˈmatik|
    adjective
    1 (of a device or process) working by itself with little or no direct human control: an automatic kettle that switches itself off when it boils | calibration is fully automatic.

  • dpkonofa
    dpkonofa
    Community Member

    @Plato‌

    1. Considering that their entire business depends on keeping your passwords secure, I'm pretty sure @asbjornu‌ is safe in saying that AgileBits wouldn't implement something if it compromised security.

    2. There's no way to be sure since the feature doesn't exist but, based on previous feature releases where they're optional, I think it's safe to say it'll be optional.

    3. You can give consent to something in advance and still have it be automatic. One does not preclude the existence or the operation of another. You can have full control over how something functions and consent to its function and still have it work automatically.

    I feel like you're being intentionally obtuse here...

  • Megan
    Megan
    1Password Alumni

    Hey everyone,

    Thanks so much for sharing your thoughts here - it's great to see discussion about the implications and potentials of the automatic password change features recently announced. Some important points have been brought up.

    As always, we can't comment on planned or unreleased features, but we are listening to all of your feedback!

    ref: OPX-703

  • [Deleted User]
    [Deleted User]
    Community Member

    @asbjornu. You have a slightly different opinion that does MrC. He states that "per-site rules housed on their servers" possibly. If that would be the case, then for automatic changing of passwords to take place then the password software would have to communicate with the server. (I am not a programmer etc. Just an old computer buff). To me, it is no different than the rich icons. URL's need to run up against some database to match the URL to a favicon. Unless the entire database is installed on the local machine for matching and updated behind us. I image and hope that is how the WatchTower service works.Similar to Apple and the Google Safe Browsing. You cannot turn that off very easily. It is on by default. BTW, great discussion, keep it coming. We can always learn something new. :-)

  • Ramz
    Ramz
    Community Member

    I love 1Password. And I really respect the developers behind it. The blog is great and shows they really care about security and know their stuff. But with Dashlane and LastPass now featuring the ability to change passwords on sites for you, I'm very much conflicted. I asked for this feature in 1Password many months ago. It is a killer feature and really makes things even safer and easier. Dashlane's implementation is quite impressive. So I don't really want to switch, but it is a killer feature that's really making me consider it. Will 1Password offer something similar soon?

  • Stephen_C
    Stephen_C
    Community Member

    @Ramz‌ please see the discussion in this thread.

    Stephen

  • asbjornu
    asbjornu
    Community Member

    @Steve_H‌, even with the "per-site rules house on their servers", those rules don't need to contain any sensitive information. They don't have to be any more than simple scripts. JavaScript files, or something similar; I'm thinking that PhantomJS could be used as a "headless browser" to perform the login, navigate to "change password" and make the password change, all locally from your 1Password application.

    It makes sense to have these scripts maintained external to 1Password itself, so they can be pushed out to 1Password applications without having to perform a full 1Password update. Just like antivirus, WatchTower or Safe Browsing definitions.

  • [Deleted User]
    [Deleted User]
    Community Member

    Well, it sounds like it should be possible. A little (lot) over my head. I just would want Agilebits to have it turned off by default. Unlike the case for iCloud sync with the MAS app. iCloud sync is checked (turned on) by default and you have to uncheck the box. I have gone back to the Web Store version because of that. It is a little bit like Apple automatically logging you into iMessage and FaceTime on your desktop or laptop once Apple has your Apple ID information from signing into the MAS to get your purchases of Pages or Numbers. IMHO, ALL cloud and external services (i.e. Location Services, time services) should be disabled by default and the user should have to turn on (activate) what they want. A single menu could be provided with descriptions of each service and what it does, and then let the user choose. I realize that I am probably in the minority, but my background has shown me that the average user has no idea just how much information is and can be collected.

  • Megan
    Megan
    1Password Alumni
    This discussion was created from comments split from: I'm leaning towards a new password app....
This discussion has been closed.