1password for PC, want option to unlock with pin code [Not supported]

AthkrnlAthkrnl
edited October 2017 in 1Password 4 for Windows

A couple visions back I have option to use pin code to unlock the app in my local PC (it was called change local master password back then), but now that option is gone, and I really miss it.
It is really stupid to enter entire master password entire time on my desktop which no one really have access except me. I don't want to change master password to all numeric nor don't think I am able to

We are able to use pin code on mobile devices, why can't we use pin on desktop/laptops? will the dev add this feature back?


1Password Version: 6.7.457
Extension Version: Not Provided
OS Version: Windows 10 Pro
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    A couple visions back I have option to use pin code to unlock the app in my local PC (it was called change local master password back then), but now that option is gone, and I really miss it.

    @Athkrnl: The Master Password change option was not there for you to use a weak password, which a PIN is, to protect your data; rather, it existed because it was not initially possible for the app to be notified of Master Password updates from the server. Since that is possible now, we've removed it to reduce confusion, since the vast majority of users are using 1Password to have, well...one password to protect their data, so they don't have to keep track of others. After all, there's an app for that!

    It is really stupid to enter entire master password entire time on my desktop which no one really have access except me. I don't want to change master password to all numeric nor don't think I am able to

    I agree that it wouldn't be a good idea to use an all-numeric Master Password. But that's essentially what a PIN is, only much shorter. It's just as much (if not more) work to enter a password composed entirely of digits as it is one including letters and symbols of the same length, so you're not saving yourself work by doing that. And using a short password of any kind will be incredibly easy for a computer to guess.

    We are able to use pin code on mobile devices, why can't we use pin on desktop/laptops? will the dev add this feature back?

    PIN codes are useful on mobile devices because they don't have keyboards. And honestly this usability concession is largely unnecessary these days with fingerprint readers, which are much more secure.

    We don't have plans to add a PIN option to 1Password because these are not a secure option, and frankly it circumvents the requirement to use at least a 10 character Master Password with a 1Password.com account.

    We also don't have plans to make it possible to change the Master Password just for one instance of the app, as that's a great way for people to forget the actual Master Password they need to use to get into their account in all other instances.

    We do, however, recommend using the various security options in the app's Settings to customize things so it does not lock as frequently when you're actively using your computer. You'll still have to enter your Master Password to unlock occasionally, but this is not only better for your security, it also helps you remember it. If you forget it, we just can't help you unfortunately.

    We'd also like to support Windows Hello in the future, which could allow you to use alternative unlock methods after unlocking with your Master Password once in the session.

    I hope this offers some insight. Be sure to let us know if you have any other questions!

  • Thanks for your detailed explanation brenty.
    Still I have confidence on my personal PC's security and I miss that feature.
    How about add it to advanced settings with some warning text next to it?

    Unfortunately I don't have supported hardware on my desktop for future Windows Hello patch, actually I believe most laptops doesn't support Windows Hello except newer ones so most user still have to type in master keyword each time.

    Or we can have option to set this PC as my home pc, and 1Password is unlocked whenever my pic is unlocked from lock screen. it's a desktop so it's not going to anywhere. We also skipped password enter step so keyloggers cant actually log anything.

    or gestures/patterns/ different unlock options maybe, one that makes unlock less painful/boring yet reasonably complicate will do

    Because most of time we don't need it unlocked whole day, we just want to be able to find a particular password in 2 secs when we tried to log in. And it isn't very helpful if each time we need 5 secs to type in master password, if we were working, it kinda breaks rhythm if you can imagine that. Not a big deal, but still a bit frustrating.

    I love using 1Password, it's a great app. I have been using it since 1Password 4, which I can unlock with a pin(I know it's considered insecure now) And I'll continue support 1Password.

  • bundtkatebundtkate

    Team Member
    edited August 2017

    On behalf of brenty, you're most welcome, @Athkrnl. I'm glad he was able to explain our reasoning behind this change. As he mentioned, I don't see us offering the option to change the local password again. It's easy for us to throw something out there with a warning and assume everyone will read it, but the reality is that these admonishments are often overlooked and getting locked out of your account isn't something we can help you recover from. This may never happen to you personally, but I've seen it happen to any number of customers who were confused about what that button did, even though it was hidden in advanced settings at the time.

    That said, I totally understand where you're coming from. Whenever I unlock 1Password, there's a pretty good chance I'm going to mistype my Master Password at least once and, if I'm being honest, usually more than once. At this point, I've gotten used to it and only grump a little, but I have found that tailoring my auto-lock settings, as brenty mentioned, is a great help. I can get through my entire work day (and any gaming sessions that follow it) with only unlocking once, which really minimizes my fat-finger frustrations. Hopefully some changes there will help you not lose your rhythm, too. :chuffed:

    Unfortunately I don't have supported hardware on my desktop for future Windows Hello patch

    I don't have any supported hardware either, but there have been some desktop peripherals released that would get me there, like keyboards that include a fingerprint scanner. There aren't many of them yet and, as picky as I am about my keyboard, I imagine it'll be some time before I'll find one that I like. All the same, this does provide some hope for those of us with machines that didn't ship with supported hardware to access Windows Hello down the line without completely breaking the bank, so I wouldn't write it off just yet. :wink:

    I'm glad to hear you've been such a long-term fan of 1Password. It really does mean a lot to us that folks stick with 1Password so long. It shows we're at least doing something right, even when we take away your change Master Password button. :wink: Thanks for the love and I hope some of the tricks we've shared help to ease the pain of losing the button and serve to keep your rhythm going. :+1:

  • Signed up for an account just to say that this omission is pretty sad. A PIN would provide convenient access on an already-trusted computer. I'm not worried about my computer being stolen; it's only my online credentials I worry about. Requiring the master password upon rebooting makes sense to me, but is almost essential for recurring entry, like if I close my laptop to take it from meeting to meeting, or throw it in my backpack, or something.

    You're going to say, "But that's why it needs to be safe!" No. If I'm going to get robbed, said person isn't going to know how to crack my Windows password and then my 1password pass phrase. It's cyber criminals that this concerns, not daily people on the streets. If my computer gets stolen, I can have 1password reset before they even get into my computer.

    All always requiring the password does is inconvenience. LastPass offers 30-day trusted devices, and Enpass offers PIN support. I think PIN is the happy medium between always trusted, secure, and annoyingly secure.

  • MikeTMikeT Agile Samurai

    Team Member
    edited October 2017

    Hi @carlylemiii,

    Thanks for writing in.

    A PIN would provide convenient access on an already-trusted computer.

    Convenient for hackers as well, they don't need to figure out your master password, they just need to figure out your PIN once they remotely infect your system while you're using the computer. A four digit PIN can be cracked within a few hours, 6 digits can be within a day or less.

    Our major concern is malware infecting your systems and stealing your encryption keys. This can actually be easier than someone robbing you of the laptop since they can attack all computers they can infect, not just one.

    To enable a secondary authentication like PIN or biometrics security like fingerprint, your local decryption key has to be stored somewhere for it to use when you authenticate. In other words, the entire security of 1Password would be exposed to any type of compromise of your much weaker authentication system. There are solutions like hardware TPM chips, SGX, 2FA + Yubi keys where it can store keys securely on the device that cannot be used elsewhere but not everyone has these.

    On the other hand, once your system is fully compromised, the game is over anyway, they could just install a keylogger to grab your master password.

    We take security very seriously, we aren't going to add something just so that it is easier to use. We need to be confident that every feature we add, we're not allowing for easier ways into 1Password.

  • coolcowcoolcow
    edited March 4

    Convenient for hackers as well, they don't need to figure out your master password, they just need to figure out your PIN once they remotely infect your system while you're using the computer.

    Once a hacker have infected your system you have already lost the game... Refusing to give the user the possibility to login locally via a PIN because of that argument is really weird. The hacker can keylog my long an complicated masterpassword, so what's the difference here ?!

    I left LastPass for 1Password for no special reason. I just wanted to test out something else. And it turned out that i am pretty happy with 1Password, but i think i will go back to LastPass after the end of my 1 year subscription. Why ? Because my masterpassword ist damn secure long and complicated (as it should be) and it is a real PITA to have to type it again each time i accidentally closed my last chrome window !

    Let a blinking big red confirm dialog appear with a capslock warning like "THIS OPTION IS NOT SECURE AND NOT RECOMMENDED ! ACTIVATE IT AT YOUR OWN RISK !!!111eleven". But pleeeease let us choose wether or not we want to use this feature. I really would prefer to stick with 1Password... :'(

    EDIT: sorry, i just saw the "1Password for Windows" category... i was talking about the Chrome plugin. But the argument is basically the same and also true for the Windows App.

  • brentybrenty

    Team Member

    Once a hacker have infected your system you have already lost the game... Refusing to give the user the possibility to login locally via a PIN because of that argument is really weird. The hacker can keylog my long an complicated masterpassword, so what's the difference here ?!

    The difference is that a PIN can be easily guessed without you needing to give away your secrets to an attacker yourself.

    Because my masterpassword ist damn secure long and complicated (as it should be) and it is a real PITA to have to type it again each time i accidentally closed my last chrome window !

    Your Master Password doesn't need to be a dissertation on world peace; it just needs to be strong enough to prevent someone from brute forcing it within a useful time frame. It's been demonstrated that a random Wordlist password of three characters takes more than six months to brute force even with a cash prize and hints. A four-word Wordlist password will be exponentially stronger and is nearly as easy to type. Definitely check it out:

    https://1password.com/password-generator/

    And the 1Password apps support Windows Hello, Touch ID, Face ID, and Nexus Imprint, so while you do need to know and enter your Master Password sometimes, you don't have to all the time.

    Let a blinking big red confirm dialog appear with a capslock warning like "THIS OPTION IS NOT SECURE AND NOT RECOMMENDED ! ACTIVATE IT AT YOUR OWN RISK !!!111eleven". But pleeeease let us choose wether or not we want to use this feature. I really would prefer to stick with 1Password... :'(

    It's absurd for us to include a feature and then warn people not to use it. Talk about mixed messages! We have no plans to add that.

    EDIT: sorry, i just saw the "1Password for Windows" category... i was talking about the Chrome plugin. But the argument is basically the same and also true for the Windows App.

    No problem. As this discussion is really old and has run its course anyway, I'll close it. Anyway, if you're using the 1Password desktop app, you should try its companion extension:

    https://support.1password.com/1password-extension/

    Cheers! :)

This discussion has been closed.