Suggestion: Change master password should enforce a non-blank new password

Harry Warrior

As the title says, the change master password should enforce a non-blank new password (Or at least warn about it). This happened to be by mistake when I pressed enter-key without entering a new password. Second time around, I had a hard time figuring out why my (now old) master password does not work anymore.

khad

Hi Harry Warrior,



Welcome to the forums! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I have not had total confirmation, but I do believe this is a feature that some users demand/require. I can't begin to explain it on their behalf (perhaps someone else will pipe up), but it is certainly not a wise master password choice from a security standpoint.



If you are not using Dropbox and your data file is only stored on one machine with FileVault enabled, I suppose it could be a secure solution. It certainly would be convenient, but having a strong master password with "Never prompt for master password" enabled would be a better idea in my mind.



That method is even more convenient since one would not need to even press RETURN at a password prompt. At the same time it is more secure as the data file has a password, but the password is stored encrypted in the OS X keychain.



I will discuss this with the developers.



Thanks!

Harry Warrior

Sorry you misread my suggestion. I am not asking for the ability to set a blank master password. I was saying the "Change master password" screen does not prevent me from setting an empty master password by accident. I meant it should enforce a non-blank password (or at least popup a warning).



I had a panic moment for couple of minutes before I realized what had happened.



[quote name='khad' timestamp='1285013363' post='11609']

Hi Harry Warrior,



Welcome to the forums! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I have not had total confirmation, but I do believe this is a feature that some users demand/require. I can't begin to explain it on their behalf (perhaps someone else will pipe up), but it is certainly not a wise master password choice from a security standpoint.



If you are not using Dropbox and your data file is only stored on one machine with FileVault enabled, I suppose it could be a secure solution. It certainly would be convenient, but having a strong master password with "Never prompt for master password" enabled would be a better idea in my mind.



That method is even more convenient since one would not need to even press RETURN at a password prompt. At the same time it is more secure as the data file has a password, but the password is stored encrypted in the OS X keychain.



I will discuss this with the developers.



Thanks!

[/quote]

Harry Warrior

I can explain the exact sequence.



I navigated my way to "Change master passwd" screen, entered by current password and switch windows to another app. I got back and accidentally pressed enter-key without actually filling a new password. Some message poped up, but I accidentally look it to mean one of those "password can't be empty" messages. Obviously, all later attempts to repeat the sequence failed with an incorrect-current-password message (because I kept entering my original non-blank password). Once I realized what had happened, it was easy to recover.



[quote name='Harry Warrior' timestamp='1285042548' post='11636']

Sorry you misread my suggestion. I am not asking for the ability to set a blank master password. I was saying the "Change master password" screen does not prevent me from setting an empty master password by accident. I meant it should enforce a non-blank password (or at least popup a warning).



I had a panic moment for couple of minutes before I realized what had happened.

[/quote]

khad

Sorry if I was not clear myself, but I definitely understood you the first time. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I was just playing devil's advocate with regard to why the "feature" may exist and looking at it from both sides. I have passed this along to the developers on your behalf as I — like you — do not think it is actually by design. We already prevent this in the iOS apps, so I can't imagine intentionally allowing this in 1Password for Mac.



Thanks for bringing it to our attention!