Automatic password changing

macdds48macdds48

Are there any plans for automatic changing of passwords like a couple of other password apps do?


1Password Version: 6.8.7
Extension Version: Not Provided
OS Version: 10.13.4
Sync Type: iCloud
Referrer: forum-search:Are there any plans for automatic changing of passwords like a couple of other password apps do?

Comments

  • LarsLars Junior Member

    Team Member

    @Macdds48 - plans? Nothing currently in the works, if that's what you mean. It's certainly a feature with a lot of "wow factor," but let me give you a bit of a peek into our thinking and why we haven't pursued it as of yet.

    First of all, for any feature request or improvement, we try to look at it from a number of angles: how many users want this? How many would it affect? How much developer time would it require? What are the CS (customer support) ramification (if any)? Are there likely to be other drawbacks of doing this? Are there any security implications? Do WE think it's a good idea? You get the idea. It's not an exact science, and those are just examples - there's no hard-and-fast checklist or formula for these things.

    There's no doubt at all that being able to open your password manager and clicking "change password" on your Google or Facebook login item, and having the password manager change the data not only within itself but at the site as well is very cool. But here's the thing about it: if you're aware of this feature, then you'll probably also have noticed that where this feature is offered, only the top most-popular/well-traveled sites are supported (more on why that's the case in a minute). You can auto-change your Facebook or Google password, for example. But how often do you change your Google password, realistically? If you're like most of us, not very often. In fact, changing a password for a saved login is something we actually recommend against if your password for a site is a) unique b) strong and c) you have no reason to suspect it's been part of a breach of exposed/stolen credentials. If you're following good password management practices already, then you meet these criteria, which means the only time you'd need to change a password is if it was inadvertently disclosed by you to someone OR the site in question was the victim of a breach.

    And if you're a member of a regional credit union or have an account at http://picturesofmycutecat.com/ (or some other less-popular sites) that you need to change the password for, these sites typically aren't supported by the "auto-password-change" feature. Why not? Because, for every site that IS able to be changed with a single click, an individual recipe has to be created. No two sites are alike in what they require for you to change a password (and even though there are similarities, the URLs are obviously different from site to site). So for every supported site, some developer somewhere had to create a script or template - and test it to make sure it works - for changing the password at that specific site.

    What that means is that the feature will always either be limited in scope to maybe the few hundred largest websites, or it will require an ever-increasing number of such "recipes" to be able to expand the feature to include all sites. As you might imagine, that would get to be quite a large number of sites, quickly. Password managers already have to sometimes write specific formulas just to allow you to properly sign into some sites that use unusual or restrictive login forms; having to maintain not just that but also a working "change password" template for each and every site effectively doubles the amount of work required.

    Worse, whenever a site changes (sometimes even just a little) their URL structure or how their Change Password workflow functions, that old "auto-change-password" recipe may no longer work, potentially leaving you with a password you think is changed...but isn't, because the mechanism failed due to changes at the website that the developer hasn't learned of or maybe just hasn't had the time to update yet. In a worst-case scenario, users might become locked out of their own accounts at various sites because the "recipe" changed the password in the manager, but not actually at the site. You get the idea.

    So, long story short, we did indeed look into developing such a feature, but ultimately decided (at the time) not to pursue it, when we realized that:

    1. Although this is indeed a "gee-whiz" feature, unless any developer offering it wants to commit to making it available for every site, it will always be limited to a handful of the most-popular sites.
    2. Most users shouldn't need to change their passwords often at larger and more-popular sites because most of those very same larger, better-traveled websites such as Google or Facebook also have the in-house ability to provide you with some of the best security (meaning less likelihood of hacks and thus the need to change passwords).
    3. The mechanism 1Password already provides to change passwords is tried, true, doesn't require unusual amounts of time or effort from users and gives them full insight into the process (instead of a "magic" button), and
    4. The amount of work required to set up and maintain such a feature -- even limiting it to just a handful of best-traveled sites -- can be much better spent elsewhere, bringing our users genuinely useful new features like incorporating the ability instantly check your passwords to see if they've been part of a breach or otherwise stolen, or 1Password gift cards (so you can more easily get recalcitrant relatives or people without credit cards on board with good password management), or increasing the speed and power of 1Password.com’s backend or being the first password manager, ready from day one, to incorporate the iPhone X’s Face ID, or...you get the idea.

    We love our developers, but as awesome as they are, they can't work 24/7. So, because of limited developer-hours, we're quite aware that everything we say "yes" to having them do means there will be other things we have to say "no" to doing. So we choose carefully the projects to pursue based on what will provide the most security and value in terms of functionality, for our users. :)

  • LarsLars Junior Member

    Team Member
    edited March 2018

    Oh, and one last thing (and it's the biggest thing of all): I mentioned early on in my post that one of the things we ask ourselves when considering new features is "are there any security implications." Turns out, with this feature, there are!

    Think about it: if you need a password changed at a site, what's the one thing you must enter into the site's Change Password page in order to proceed? Your current password. When you change a site's password using 1Password, you have to copy and paste your current password from 1Password into that Change Password page at the site, but at no time do you reveal or share your unencrypted password for the site with us (AgileBits). It remains encrypted in your 1Password vault until you copy/paste it into the website itself.

    But using a one-touch "change password" button inside an app? Well, someone has to inform the site in question that you want to change passwords, and to do it they have to provide your current password. So, if you're not entering your current password into their Change Password page, who is? The app's servers: every site you use this feature to change the password for, you're forced to send the app developer's servers your plaintext password for that site, AND the new password you want to change to.

    I'm sure I don't need to explain why that's insecure, but it brings me to perhaps the most important principle of all (and yes, I promise, the last one 😉). One of the things we've always taken pains to do with our privacy model - from the very early days on through Agile Keychain and OPVault right up to today's 1password.com servers - is make sure that you, the 1Password user, don't have to just trust that we're not misusing your data. We make it so your data is as secure as it can be from everyone, including us. We never have your encryption keys nor the secrets with which to derive them (your Master Password and Secret Key), and we don't know what the contents of your data are. We don't know your passwords. Asking for your plaintext password for every site you want to change passwords on just violates the spirit of that trust we have with our customers: that we don't know your secrets.

  • roustemroustem AgileBits Founder

    Team Member

    @macdds48, "other passwords apps" send your plaintext unencrypted password to their servers to perform password change. This is something that we will never do.

  • It makes perfect sense, Roustem and Lars. I appreciate your enlightenment and position. Just another one of those shiny objects.

  • brentybrenty

    Team Member

    To be clear, we'd love to be able to do something like this in the future, but only if we can do so while maintaining our customers' (and our own as 1Password users!) security (by not knowing passwords) and privacy (by not knowing where people have accounts). Perhaps in the future we can find a way to do just that. Thanks for bringing this up! :)

  • @brenty @roustem @Lars - I just wanted to say "thank you".

    I saw this feature from Wirecutter's Best Password Manager List for LastPass and I thought "I wonder if 1Password does this?".

    Sure enough, I stumbled upon this thread. It reassures me knowing that you guys/gals have the best interest of users in mind and maintain your virtues as a security company. I can only imagine that the auto change password feature was a request by a product manager at LastPass and the engineers likely protested but the PM won because it would be a good feature to sell to consumers.

    After reading the very good arguments by @Lars and others, I get that doing this type of feature half-baked (as LastPass has done) is not really worth it.

  • brentybrenty

    Team Member

    @senoroink: Wow. Thank you for taking the time to reach out, and for the kind words! All things being equal, it is a really cool feature, and one we'd really like ourselves. As tech people, we're fascinated with this stuff. But since all things are not equal, and there's a very real need for security and privacy not just in 1Password but in general in this day and age (I think probably all of us have been affected by data breaches of some kind...), we're extra cautious about what we know about our customers. Part of this is, admittedly, selfish: as users, we don't like companies knowing our browsing habits either; and also cowardly: we don't ever want to be in a position where we're apologizing to our customers for misusing or misplacing information about them. So I think we can all be happy about that. But I think if we can find a technological solution that doesn't involve those kinds of compromises, we could all be happy with that too. :)

  • NicolinixNicolinix
    edited October 2018

    Would love to see an automatic password changer too.

  • BenBen AWS Team

    Team Member

    Thanks @Nicolinix. :)

    Ben

  • I'm a little confused on the security angle here - how is loading the password change webpage of a website and entering the old and new passwords into a form different than loading the regular login page of the website and then entering your current login info (username and password) with the 1Password browser extension? Seems to me all is needed is to load data into forms and hit a "submit" button in both cases, though I can see how each webpage's forms may be different and thus require a prohibitive amount of developer time to support many websites. I just don't see how it can't be done securely.

  • brentybrenty

    Team Member
    edited October 2018

    @fauldsand: I'm not sure what you're asking. The discussion above is specifically about why 1Password does not automatically change passwords, and that we're not going to introduce a feature like that unless we can do so in such a way that it does not infringe on 1Password users' (including ourselves) privacy and security, and also it needs to meet a certain standard as far as reliability. Having a list of a few dozen websites where a feature is available means everyone is out of luck with the other billions of websites out there.

    More to the point regarding your comments about "how it can't be done securely", in order for other apps to do this, the developer is acting as a middle man so that they can interact with the website on the user's behalf to change the password, since there is no standard way to do this. Websites change, so having logic for this built into the app would be problematic. If the app version you have knows how to change a password on Amazon's website today, but they change that process tomorrow, if you tried to do your password change using the app next week, at best your attempt would fail, and at worst you could get locked out of your account. Handling that "in the cloud" would be a good solution to that problem, but then the server would know 1) your existing password, 2) the new password, and 3) the website you're going to. That's why this isn't something we offer currently, along with the fact that a feature only works at a fraction of a percentage of the sites people interact with on a daily basis is arguably not much of a feature. I hope that helps clarify.

    ref: apple-2397

  • @brenty
    Ah I understand now. Thanks for clarifying! My point was that it would be possible (not saying it would be good design) to implement the logic inside the app and thus avoid sending your passwords to the server. But I see how that could lead to the feature breaking easily due to websites changing, and it also doesn’t solve the problem that each website will be different and might need different logic to navigate the page and fill the form.

    I searched around last night after reading this forum and found LastPass’s explanation of this feature (https://helpdesk.lastpass.com/generating-a-password/). Obviously I don’t know exactly how it works, but the article claims the feature has “security as its top priority” and “ changes happen locally on your machine”. There’s a small list of supported websites, it looks like around 30. I couldn’t find any more details.

    I also agree with your point that this feature doesn’t give users a lot of bang for your buck - we need to input passwords every day, but change passwords rarely. I started looking to see if 1Password had this feature after finding some of my account breaches on haveibeenpwned.com and seeing some weak passwords noted in Watchtower. But changing them in that case is a 1-time thing and I’d much rather have an easy and seamless password-entering experience since that’s what I’m using 1Password for 99% of the time.

    Appreciate your team’s focus on privacy and security! Keep up the good work.

  • brentybrenty

    Team Member

    Ah I understand now. Thanks for clarifying! My point was that it would be possible (not saying it would be good design) to implement the logic inside the app and thus avoid sending your passwords to the server. But I see how that could lead to the feature breaking easily due to websites changing, and it also doesn’t solve the problem that each website will be different and might need different logic to navigate the page and fill the form.

    @fauldsand: Totally. We try to avoid site-specific hacks for login filling too, since it means that we need to push out an update and a user has to install it in order to get the fix, but sometimes it is necessary. For login filling, that can be a confusing inconvenience. But for a password change, us getting it wrong, or getting it right and the user not being up to date, could be pretty disastrous — like for a bank account or something. So we really need to be careful.

    I searched around last night after reading this forum and found LastPass’s explanation of this feature (https://helpdesk.lastpass.com/generating-a-password/). Obviously I don’t know exactly how it works, but the article claims the feature has “security as its top priority” and “ changes happen locally on your machine”. There’s a small list of supported websites, it looks like around 30. I couldn’t find any more details.

    Yeah, it's a hard problem. I have no doubt that they're using the best security they can. We would and could too. The problem is that that means being in a position where a bug could result in user data being exposed, logged, or just a rogue employee could access it. So our policy is to simply never have user data in the first place. Even when we host people's 1Password.com accounts on our server, we're only receiving data which was encrypted locally on their devices before being sent to us, and the "keys" to decrypt it are never sent to us. That's the only way we can be sure that an attacker can't steal people's passwords, or URLs to the sites they frequent.

    I also agree with your point that this feature doesn’t give users a lot of bang for your buck - we need to input passwords every day, but change passwords rarely. I started looking to see if 1Password had this feature after finding some of my account breaches on haveibeenpwned.com and seeing some weak passwords noted in Watchtower. But changing them in that case is a 1-time thing and I’d much rather have an easy and seamless password-entering experience since that’s what I’m using 1Password for 99% of the time.

    Definitely, but we'd still really like to make password changes seamless if we can in the future too. Thanks for sharing your desire for this. I think it's important that we prioritize login filling, but if we can do both well in the future everybody wins. :)

    Appreciate your team’s focus on privacy and security! Keep up the good work.

    Likewise, thanks for your support, and the kind words! It isn't every day that people say nice things about us after we say "no" to a feature request. But I guess it's not a hard "no". More of a "someday maybe", if we can do it right. Cheers! :chuffed:

  • frankocfrankoc

    First off, I love the feedback from the 1Password team, the in depth thoughts around the idea, and the "Security is Job 1" mentality of the program. I've been using 1Password for the last 5 years, great to hear you really take this as seriously and through as you do!

    One possible idea how you could do it securely (with the 1Password desktop version in mind):
    Just like the 1Password iOS app has the built-in 1Browser, could you visit the website in question by running a browser session within 1Password, whereby it could securely log into the site (using the website, username, and password provided by the user for that Login entry) and visit the site within your own browser session. It's like what 1Password does today by opening the site, pasting the credentials, and logging in...just the browser session is hidden from the user.

    Once you get that far, however, then I can see it getting really tricky to determine "Where to next?" to actually go and change the password.

    Perhaps, this could be user-lead at this point where the session is visible to the user in a tabbed window within 1Password, the user has to go into the site's settings and find the "Change Password" section, but once there 1Password can take back over and enter in the existing and new passwords (x2 for the new one in most instances).

    Granted, this isn't 100% automated, but gets the user there a bit faster and all of the vault decrypting and credential passing is done on the user's local machine.

    Just a though, feel free to critique; I enjoy the thought experiments. :)

  • brentybrenty

    Team Member

    @frankoc: Thanks for the kind words and encouragement! Indeed, the hard part for password changes is often the where/how (not just for 1Password, but for users!) as all websites are setup differently. It sounds like what you're talking about might be called "recipes" baked into the 1Password apps so it can know how to do this for specific websites locally. The challenge is that means any time a website changes and breaks this process for 1Password, we'll need to fix it and ship an update for it to work again, and of course the user will only benefit once they've installed the update. And that's just for one website. So it doesn't scale well, that approach. It would be slightly more efficient if all of this stuff was done "in the cloud" (as far as "distribution", though we'd still need to do the work to support individual sites...), so that no update to the apps is required; but of course that's where you run into privacy concerns. I'm really hoping some standardization takes off for password changes, as that would solve a lot of these problems -- both for individuals just wanting to change their passwords themselves, and for software being able to help automate it. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file