Require password reprompt for certain sites

Hi there,

As someone who has used Lastpass in the past, a feature I really appreciated was that you could "require password reprompt" for certain sites before the password could be accessed. So even if your vault was unlocked, for your most sensitive passwords (think financial accounts), you could require that your master password be provided again before it could be copied or form-filled.

It's not clear to me if this was cryptographically enforced, but even if not, it is certainly a nice-to-have last ditch protection against the "nosy person who comes across my computer while my vault is unlocked" case.

Does this feature exist? Is this something you have considered?

Thanks!

Mike


1Password Version: 6.x
Extension Version: Not Provided
OS Version: OSX
Sync Type: 1password.com

Comments

  • brentybrenty

    Team Member

    @lookingforentropy: Ah, interesting. In the past, it's been suggested that we add the ability to set a separate password for individual items...but of course that's the reason why 1Password exists in the first place: to have fewer to remember!

    But what you're suggesting is a bit different: a sort of "always require Master Password" to access certain items. It's come up before, but I think you did a good job of summarizing it. It is unlikely that such a restriction could be cryptographically enforced since your vault is already unlocked and accessible otherwise, and frankly someone malicious may be quite happy to have the rest of your data. And honestly even though this wouldn't make you remember multiple passwords, it would put an additional operational security burden on you, since you'd need to manage which items you wanted to enable this for.

    That said, it's certainly something we can consider for a future version, but you may find that simply changing your security preferences in the app gives you a similar effect — and provides greater security for all of your data without making you micromanage things. Let me know what you think! :)

  • @brenty Thanks for the quick response. Another possibility is to make it so that not all vaults are necessarily unlocked together with your master password. In this case, one's most secure credentials could be stored in a vault that normally never needs to be unlocked. Presumably in this case, one could cryptographically secure the "more important" vault, especially if you used a different master password (I am sympathetic to the idea that you should only need a single password, but not to the extent that it degrades the security of the product).

    I'm sure this wouldn't be a trivial task, but something to consider. Thank you!

  • Greetings @lookingforentropy,

    As you're a Mac user I've moved your request from saving and filling. If this feature was ever to exist it would have to be deep inside the application so this is to make sure the right people see this. The saving and filling is typically viewed by those that work on improving compatibility with the interaction between 1Password and the actual HTML in the web page while this is more about security and I'm guessing one you want not just in place for filling but for viewing in 1Password and so on.

    Will it ever happen? I don't know but we do track interest and factor it into what we work on. I won't lie, I don't really understand how having a second layer is more secure compared to ensuring 1Password is locked when you're away from the machine but if I'm going to say that I should also point out that I admit I may not be the target audience of such a feature and whether I feel it would be great or not is not part of the decision process. If it truly adds security for the majority of our users though then it has to be considered :smile:

This discussion has been closed.