May we have a setting to create a reminder for changing our password

StormXIStormXI
edited March 2018 in Lounge

Hi team !

It's probably a request of feature.

I would like to know: There is any options for setupping a reminder for changing my password after x days (based on a setting) ?

A use case here:

  • I'm using a web site
  • I setup the settings on this Login for reminding me to change my password after 3 months.
  • When I use the chrome extension for example, I would like a message "Password Expired" for notify me to change my passwor if the last update of my password is more than 3 months.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:May we have a setting to remind us to change our password (base on last password update) ?

Comments

  • LarsLars Junior Member

    Team Member
    edited March 2018

    @StormXI - hey there! :) No, no built-in mechanism for changing passwords after X days. The main reason for that is that we actually don't recommend people change passwords for no reason other than a certain amount of time has passed, as long as:

    1. the password is already long and strong (preferably chosen randomly by 1Password's password generator)
    2. you have no reason to suspect it has been breached (so, no disclosures from the company, and none of your own "oopsies")

    We've seen people use calendar functionality to set up password-change reminders, but the functionality doesn't exist - nor (if I'm being honest) is it likely to in 1Password anytime soon.

  • @Lars - Hi !

    I can understand we must have a long and strong password, but it's always crackable in brut force, it's just a question of times!

    I'm already using the 1Password generator and it's perfect for generating strong passwords.
    But I think it's a shame to not propose to change your password after x days with an optionnal setting.

    Actually i'm using an other app for that, only for my sensitives logins, but it's like a dual management of passwords and I don't want that.
    I think it's not a big deal feature but a really nice to have.

    Thanks for your responce, in the hope that you will change your mind :)

  • brentybrenty

    Team Member
    edited March 2018

    I can understand we must have a long and strong password, but it's always crackable in brut force, it's just a question of times!

    @StormXI: Sure, but...not on a human timescale unless you're using a strong password that is already known (perhaps reused for another account which was compromised). Otherwise you'd have to be using a fairly weak one for it to be guessed anytime in the foreseeable future.

    I'm already using the 1Password generator and it's perfect for generating strong passwords.
    But I think it's a shame to not propose to change your password after x days with an optionnal setting.

    I understand that some people want this feature because they are forced into behaviour like that, but the reality is that changing a strong password which has not been compromised offers no security benefit. For example, if my password this month is nv2w4NW7j89043jDy51D, changing it to 5M40Z26hi16rd05rKZK0 next month results in me using an equally long, random, unique password; changing it is only making more work for me.

    Actually i'm using an other app for that, only for my sensitives logins, but it's like a dual management of passwords and I don't want that. I think it's not a big deal feature but a really nice to have. Thanks for your responce, in the hope that you will change your mind :)

    It's something we'll continue to evaluate, but making security more inconvenient (by encouraging password changes where none are warranted) is a good way to get people to be complacent when it really matters. So right now our focus is on things like Watchtower, so that people can spend time changing passwords where it's actually needed.

  • LarsLars Junior Member

    Team Member

    @StormXI - The original reason experts, including NIST, recommended frequent password changes developed in an age when both the average computer and the average password were much less complex and powerful. Back in the day when people were using "I love my dog" or "password123" regularly for their passwords and computers were much less powerful than they are today, it was estimated that it took the average computer about 90 days to crack the average password...because the passwords used were in general even weaker than the computer systems of the day.

    Today, we have strong, random password generators like the one available to you within 1Password, and things are much different. Most passwords are not brute-forced, they are stolen, meaning the time required to "crack" your password hasn't just gone down as computing power has increased, like from 90 days to 30 days or something, they've gone from an estimated 90 days to effectively zero (however long it takes to paste in the stolen password). If you changed your password two weeks ago and it's stolen from the site in question today, hackers aren't going to be polite and wait until your next password change.

    That's why last June, NIST issued Special Publication 800-63-3: Digital Authentication Guidelines, which rescinded their previous publication from decades ago that advocated frequent password changes. That brings them in line with what noted security experts like Bruce Schneier have been saying for years.

    The security landscape is always shifting, but encouraging or facilitating password changes on an arbitrary schedule is a relic of the past that I doubt we'll be revisiting.

  • @brenty and @Lars Thanks for these information and feedback. I guess i have old school mind :(
    Well, I will consider to not change my passwords when I don't need it. :)

  • LarsLars Junior Member

    Team Member

    @StormXI - Cheers. Sorry if I sounded strident, but our usual default is to take very seriously the wishes of our users. The only real exception to that is if we feel a particular direction is inadvisable security, we try not to give false hope that we might consider the idea, and we try to explain why. In this case, it used to be recommended practice to change passwords regularly, now, not so much. I'm not so much disagreeing with you as I am trying to explain why we don't pursue this option for both you and anyone else who happens across this thread. Thanks! :)

  • Well, there are Businesses which have the requirement that passwords be changed every 90 days. So it's a valid feature requirement. We are just bound by Businesses and their security requirements to change them no matter how strong the password is.

  • I have experienced what @sangadi mentions, but in my case those companies also spammed me (sending multiple email reminders in advance) that I should update my password (in x days).

  • brentybrenty

    Team Member

    Good points. Certainly there are companies that require that, just like some allow only short numeric passwords (A.K.A. PIN codes). We need to consider that anything we do in 1Password essentially amounts to an endorsement in users' minds.

  • @brenty thanks for the comment. For a business use case it's very essential. I do hope that 1Password implements this as an Option for users needing it.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback @sangadi. :)

    Ben

  • I'd have to disagree on the experts' opinion. In many systems nowadays changing your password triggers mechanisms like logging you out of any device that is connected to the account. So let's say someone has logged in your account without you getting notified, when you change your password you would log them out, and since it's a different password they would have no access.

    My actual use case is systems that disable your account. The most popular Bulgarian mailbox is abv.bg and they will disable your account and delete all of your information if you haven't logged in your account for 6 months. Would love to use reminders to prevent that.

  • BenBen AWS Team

    Team Member

    It seems there are plenty of reminder / to-do app, including the free one built-into macOS and iOS ("Reminders") that could handle this sort of a situation. There is a concern with any software project of the app becoming "bloated" and ending up being a "jack of all trades, master of none." We would like to avoid that sort of situation with 1Password. That isn't to say we're dismissing this idea, but it definitely requires more thought, and isn't something we'll be tackling in the immediate future.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file