Enabling / Supporting Rotation of Passwords

It seems like there have been many different requests for some help in managing rotating passwords and it seems like a topic that the team has been loath to address.

Even with strong passwords, there are certain compliance requirements that make password rotation mandatory (e.g. PCI). As much as we would like to not do so, not rotating passwords is not an option. Would be great to have some help from 1Password on this

On the wishlist would be:
1) A way to flag passwords for rotation and to determine frequency, then remind users as the threshold approaches.
_I know that someone had previously recommended using Smart Folders for this (back in 2015, I think), but that's not an option in 1PW for Teams... _
2) Admin reporting for password rotation and compliance (e.g. John has not updated his AWS password for 242 days, should have been changed after 180 days)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @mz_admin: Thanks for reaching out! Indeed, with even the NIST is recommending against changing passwords based on moon cycles anymore (government bodies are not known for being nimble), I agree with you that this is a bit silly. But you're right that there may be things that 1Password can help with here. Smart Folders do not exist in 1Password.com because they're a macOS feature, so while we definitely want something like "saved searches" which can be used across all platforms, we'll have to build that ourselves from scratch. It's helpful to know that's something you'd like as well. Regarding reporting, we've been slowly building our auditing features over time, so perhaps in the future we can find a way to allow admins to audit password changes. The tough thing is that someone could just make a minor edit to a login in 1Password, and there's no way you or we would know if they actually updated it. But it's an instating idea, and good to know that might be something you'd be interested in. Unfortunately the biggest impediment to all of this (other than the obviously ill-conceived make-work idea of changing passwords that are not compromised) is that you'll ultimately still be relying on the user to follow through with recommendations/requirements. I'm not sure there's a solution to that part of it. Maybe RFID-controlled shock collars? Thank you for bringing this up! :)

  • Chiming in here to say that this is definitely a feature that would be helpful. LastPass is already doing this, it seems to be a differentiating factor in discussions with folks looking to adopt password managers.

  • brentybrenty

    Team Member
    edited December 2018

    Certainly some people ask for this feature. But we tend to shy away from "security theater", and changing a password when it is not weak, reused, or compromised is just that. Generating a new long, strong, unique password that offers no benefit over the one it's replacing -- as well as being a waste of time for all involved. Certainly it's something we can consider, and there can be features worth copying; but I don't think we want to copy everything our competitors do, and this is just one example.

  • Support your users and their goals. People have policies to comply with, plain and simple.

    I understand that 1Password can't know for fact that the password changed, but that's not 1Password's job. It's job is to empower me and my organization to manage our passwords. If employees aren't complying with our internal policies and gaming the system, that's a whole other issue for us to deal with.

  • BenBen AWS Team

    Team Member

    That's a reasonable point @s2Tg4kGRQ92oUjmPioY. Thanks for your feedback here. I think it is worth asking administration to review any such policies compared with current industry recommendations. I understand these things tend to happen slowly, and proprietary systems that have such requirements built-in may change even slower. So I do understand the demand for this sort of thing. I think the bigger difficulty than that, for us, is just a matter of prioritizing limited development resources. We have not seen a great volume of requests for such a feature, and it would be non-trivial to build and test. That certainly isn't to say that we wouldn't consider doing it anyway, but we do have a number of other irons in the fire that would need to be sorted first.

    Thanks again for chiming in here; perhaps this is something we can consider for the future.

    Ben

  • I think it is worth asking administration to review any such policies compared with current industry recommendations

    Current industry recommendations for all companies with a security posture is to rotate their keys. You go on to point out just how hard that can be, especially when legal stakeholders are involved.

    We have not seen a great volume of requests for such a feature...

    I'm surprised to learn that your company has no interest in being an industry leader.


    This kind of response to what is becoming a more frequent requirement of serious security teams is deeply disappointing. I hope your team chooses to reconsider. For now we will have to go with another solution.

  • BenBen AWS Team

    Team Member

    Current industry recommendations for all companies with a security posture is to rotate their keys.

    Not according to the National Institute for Standards and Technology (NIST):

    NIST’s new password rules – what you need to know – Naked Security

    (3rd party article from Sophos)

    Specifically:

    The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file