This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

SUGGESTIONS - Prompt to change password

arw
arw Junior Member
<div class="IPBDescription">1P can prompt user review of passwords periodically</div>New feature ideas: I would like 1P to help me with:



[list=1]



[*]Over time (years), my 1P database becomes full of websites/passwords that I've used once or don't need any more. It'd be great if once in a while (day, week, month, quarter, etc.) 1P would present those entries which are coming up on their "anniversary" for user review - keep/delete. I don't want too many at once so it doesn't get overwhelming.

[*]Good practice suggests that I should change/generate new passwords periodically. Again, perhaps 1P can generate one for me for those whose anniversaries are coming up and prompt me to say "do you want me to change password from x to y"?

[*]ID theft recovery support: If, for some reason, I need to change all the passwords, perhaps there's a way that 1P can make it easy for me my stepping me through all the entries. This is needed if laptops get stolen, master password gets compromised, etc. and things were not properly secured in the first place.

[*]For that matter, 1P should prompt change of master password from time to time.

[/list]



Tony

Comments

  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Tony,



    Welcome to the forums!



    You have some great ideas for features. I'd like to discuss the fourth one first.



    [quote name='arw' timestamp='1302023382' post='24002']

    For that matter, 1P should prompt change of master password from time to time.

    [/quote]



    The reasons that people recommend periodic password changes don't apply to your 1Password master password. If you have a unique master password that isn't stored insecurely some place (like on a Post-It under your keyboard) then you should never change your 1Password master password. Indeed, like passwords for other high security systems (eg, PGP or SSH private keys) a case can be made that changing your password potentially weakens your security. So pick a good master password and keep it for life.





    [quote]

    Over time (years), my 1P database becomes full of websites/passwords that I've used once or don't need any more. It'd be great if once in a while (day, week, month, quarter, etc.) 1P would present those entries which are coming up on their "anniversary" for user review - keep/delete. I don't want too many at once so it doesn't get overwhelming.

    [/quote]



    Every now and then, I go through a bit of tidying like this. I have a folder that I call "Defunct Accounts". At the moment 1Password does not keep track of the last time a Login was used, but you can sort things by "Modify date" to at least get some idea of when the item was last updated. I normally use 1Password in its default "Shelves" layout, but when I go for one of my tidying sessions, I switch to "Traditional" layout. You can do this with View > Layout from the 1Password menubar.



    You can sort things in any layout, but I find it easier to see things together in the Traditional layout.



    What is probably more useful is to sort your items by password strength. This way when you go through some tidying, you can start with things that have the weakest passwords. Please take a look at a blog posting we have with tips about this.



    http://blog.agile.ws/easily-find-duplicate-passwords-in-your-logins/



    [quote]

    Good practice suggests that I should change/generate new passwords periodically. Again, perhaps 1P can generate one for me for those whose anniversaries are coming up and prompt me to say "do you want me to change password from x to y"?[/quote]



    The reasons for recommending password changes are largely obviated by using strong, unique passwords for each site. That is passwords are typically captured because of password reuse. If you never use the same password in two places, then this really reduces the changes of bad guys getting at your passwords.



    So again, take a look at that [url="http://blog.agile.ws/easily-find-duplicate-passwords-in-your-logins/"]blog post[/url]. Don't try to do it all at one sitting if you have a long history of imported passwords. And of course remember that when you change a password you need both 1Password and the website to know about the change. So take a look at



    http://help.agile.ws/1Password3/change_password.html



    for a guide on updating website passwords with 1Password.





    [quote]ID theft recovery support: If, for some reason, I need to change all the passwords, perhaps there's a way that 1P can make it easy for me my stepping me through all the entries. This is needed if laptops get stolen, master password gets compromised, etc. and things were not properly secured in the first place.[/quote]



    1Password is designed to withstand very sophisticated attacks even if your laptop gets stolen. So you only need to worry about either your master password getting compromised or "things not properly secured in the first place".



    This is why it is so important to pick a good master password. Crucially it shouldn't be every used for anything else. As for other less well secured things, if you do gradually go though the password updating process that will reduce the danger of those being discovered by the bad guys.



    I don't want to sound like I'm dismissing your suggestions. You recommend some great ideas about how to improve the actual management of passwords. Suggestions like this have come up before and we certainly are looking at a variety of options. It is good to know that you would value such features.



    Again, thank you for your suggestions. Please continue to share your ideas and participate in our community Tony.



    Cheers,



    -j