Feature Request: 4-Digit Unlock Code on Mac

smar

<div class="IPBDescription">(was Use Low security level on Mac)</div>Hi Everyone



I'm just trying out 1Password, coming from a combination of LastPass and Keepass, and so far find 1Password's tighter integration is superb. The way I used to work was that I would keep my less important passwords in LastPass, such as forum registrations etc, and use Keepass for my important stuff, such as bank details, credit cards etc.



For LastPass I used a simple short password, and for KeePass a complex phrase.



1Password seems to offer best of both, but one thing I haven't managed to get working fully on the OSX side is how to use the Low Security level (which I have set for my forum registrations). I don't see any option to add an Access code on the MacBook Pro. Each time I want to fill in say a forum registration, I have to put in my very long Master Key, which can be a bit tedious. I realise I can increase the lock timeout on 1Password but this will increase risk of unauthorised access as I frequently work in an open plan office.



From my iPhone however, the simple level security and high level security work great.



Is it even possible to do this on Snow Leopard? If not, can I suggest this as something that would be very useful to have.



Thanks in advance.

khad

Welcome to the forums, smar!



The 4-digit unlock code is only used in 1Password on the iPhone due to the nature of its smaller, virtual keyboard. Many users like yourself find entering a complicated master password in that manner to be troublesome. With a full-size keyboard and better security options on the Mac, we have foregone this. I don't believe we have plans to add this in the future, but we never say "never." <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



In the mean time, might I suggest some possible tips to handle automatic locking on your Mac in such a way that you may say, "Khad, you are a genius! Thank you for suggesting this. I don't even need an unlock code on my Mac any more." (I can hope, right?) <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



If "Disable automatic unlock for 1Password" is checked (Preferences > Security) you will always be prompted to enter your master password when opening 1Password. This includes quitting the app and relaunching it.



Likewise, if "Disable automatic unlock for all applications" is checked you will always be prompted to enter your master password when using one of the browser extensions after a fresh launch of your browser(s).



So any easy way to keep prying eyes at bay is to leave both of the above settings enabled and quit 1Password and your browsers when you are done using them. Your data will be locked.



Otherwise, you are relying on the auto-lock settings to secure your data which will either lock your data after X minutes of inactivity, when your Mac begins to sleep, or when the screen saver is activated whichever of the selected options comes first.



[i]The auto-lock timeout is measured by computer activity and not 1Password activity. In order for 1Password to automatically lock after X minutes, there must be no mouse or keyboard activity for the entire duration.[/i]



To speed up the auto-lock process you might consider the following.



1. Set an Active Screen Corner for you screen saver and activate the screen saver when stepping away from your Mac (System Preferences > Exposé and Spaces > Exposé > Active Screen Corners).



2. Close the lid of your Mac laptop to put your Mac to sleep.



3. Activate the login window when stepping away from your Mac (System Preferences > Accounts > Login Options > "Show fast user switching menu as…")



The above three options will also secure your entire OS X login if you have enabled "Require password … after sleep or screen saver begins" (System Preferences > Security > General). You are using a good, unique password for your OS X login, aren't you? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I hope that helps, if only a bit. We will continue to evaluate the possibility of an unlock code in 1Password for Mac.



Thanks for the feedback!

smar

Thanks for the fast reply Khad! Whilst I won't (yet) go as far as to say "Khad,you're a genius", I will say what superb customer service! I see you're location is LA, and I'm in London, so that means that it is some unearthly hour where you are - don't you guys sleep? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



I understand what you're saying, and can see how to keep prying eyes away in a public environment. However, I still think that the multi-level security you have built in into your encryption model is not being effectively utilised on the desktop. I understand that with a keyboard, it is certainly easier to type, but by definition, we should have LONG master keys to increase security. Thus typing this long key in each time is a pain, especially sites that don't really require that level of security - e.g. responding to a forum! I don't know about most users, but certainly from my side, most of my time is spent on such sites. The number of times I need my really secure stuff (e.g. banking details) is far far less than the number of times I need the not so secure passwords.



As you already have the basics in place in your encryption model (i.e. the database is not encrypted against the master key directly etc), I would have hoped that it wouldn't be much more work to add support for multi-level security into the desktop environment. If nothing else, having this as an option for users will then let the user choose how he or she wants to work.



Anyway, I appreciate this sort of thing may be low down on priority list, but if you do manage to incorporate it, I think it would certainly enhance the product, and make it more consistent with the iOS version - I spent some time before checking the iPhone app trying to figure out what the Low Security meant, and how to enter the Access Code on the Mac... And I'm supposed to be quite computer savvy <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Thanks again.



smar.

khad

Smar,



Thanks for writing back. I may not yet be a genius, but I am glad that you appreciate our level of support and response time. It was indeed a late night for me yesterday. (Technically, I guess that was this morning.) <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />



Help me understand your desire for multi-level security on the desktop a bit better. In my own use, I can't see the practical use for it, but this suggestion has come up once or twice before.



For example, if typing in your master password is tedious but you also want to lock everything down when you are away from your computer, I would suggest unchecking all the "Unlocking" settings and perhaps only checking the "Lock when sleeping" setting to ensure that auto-lock only kicks in when you want it to (rather than when it may annoy you).



[img]http://files.droplr.com/files/5916362/H18p.Screen%20shot%202011-04-09%20at%2016%3A19%3A10.png[/img]



This way, you will only need to enter your password once after starting up your Mac (or waking it from sleep) and will not be prompted to enter it again until you restart or wake that machine from sleep. That takes care of the tedium of constantly entering your master password, but what about security? If you are on a laptop, simply close the lid. Or, if you have applications running or downloads mid-transfer that you don't want to sleep, consider (3) above: activate the login window. This effectively puts your login to "sleep" (and locks 1Password), but processes will still run.



We will certainly take your request for multiple security levels on the desktop under advisement, but I do hope you can find a workflow that suits your needs in the meantime. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I am sorry if there was any confusion regarding High and Low Security levels on the Mac. Is there anything in particular that you think we could do to [url="http://help.agile.ws/1Password3/security_levels.html"]make our documentation clearer[/url]?



Thanks again for your feedback! We really do appreciate it.

Niccum

It would be very convenient to allow low security (4-digit) or even no security access on the mac like we can do on the iphone.



There are several scenarios that this would help me out with... There are several sites that I would like to automatically fill the username and password (without entering the master password) with that would pose no security risk to me. It would be nice to select by login item one of three options: 1.) High Security - Require master PWD, 2.) Low Security - require 4-Digit code, and 3.) No security - no code required.



If the default were always set to High security and the user makes a conscious choice to turn off the mater password for specific sites, I don't think there would be any security risk.



When my children use 1 Password, I have to come and enter the master password for them each time they want to access some of their sites. And then once I do, they have access until it times out, etc. If I had options 2 or 3 above on the mac, then I could give them the 4-digit code to be able to access those that don't need the same level of security.



Regards,

Eric

[Deleted User]

Hello Eric,



I merged your topic with the appropriate thread.



Thank you for letting us know that you would like to see iPhone type Low/High security functionality on 1Password for Mac.



I experience your dilemma often, and I understand how your feature request would be helpful. As for the future possibility of adding this feature to the Mac, I believe Khad states it best in his initial post in this thread:



[quote]The 4-digit unlock code is only used in 1Password on the iPhone due to the nature of its smaller, virtual keyboard. Many users like yourself find entering a complicated master password in that manner to be troublesome. With a full-size keyboard and better security options on the Mac, we have foregone this. I don't believe we have plans to add this in the future, but we never say "never." <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />[/quote]



Furthermore, due to the larger keyboard, 1P's iPad app does not have the Low/High security option either. Although it would be very convenient to you, me and others, there is always a trade off between security and convenience. With the iPhone, the Low security option made sense. Otherwise, the app may be almost unbearable to use. However, with the ability to access larger keyboards, entering your Master Password when using the iPad and desktop versions is not as detrimental to the user experience.



Thank you again for adding your vote for more iPhone-like usability. As Khad stated, we never say "never"!



Cheers!



Brandt



P.S. One solution worth thinking about would be to to purchase a Family License. By doing this, up to 5 different users in your home could have their own version of 1P. You could have a separate copy for your children (which you would control...of course. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />, and you could enter logins for those specific sites you want them to have access to.



I am not trying to finagle a sale here. Honestly. I use the same method in my home, and it works for my family. If you are interested in pursuing this further, please send us an e-mail at the following address: [email="support@agilebits.com"]support@agilebits.com[/email]. I'm sure we can work something out with you. I hope you have a nice weekend.

thightower

[quote name='bswins' timestamp='1310247901' post='31619']

P.S. One solution worth thinking about would be to to purchase a Family License. By doing this, up to 5 different users in your home could have their own version of 1P. You could have a separate copy for your children (which you would control...of course. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />, and you could enter logins for those specific sites you want them to have access to.

[/quote]



Works wonders here also, my kids have there own master PW, just smaller but they have no super secret details, just access to some game sites etc and there usage is controlled by Mac parental controls.

Niccum

Thanks Brandt for your quick customer support. I do already have a Family License as I thought when I originally purchased that I needed it to run the same version on multiple machines. I will think this setup through, but my initial thoughts are that this would be quite duplicative for my setup. Many of the sites [b]we all use[/b], if I set up separate versions for each family member, it seems that it would be a pain to maintain setting up the same login and passwords on each separate version for each child. If all of the websites were just their personal accounts, then that setup would be ideal. Unfortunately, that is not the case for me and my family.



For example, allowing access to my main Netflix account so that they can add instant watch movies to the que. Seems like I would have to copy that login info into multiple versions for each family member and then maintain it if I periodically change the Netflix password.



Even if I copied the entire 1 Password database to propagate to the kids versions, I would then have to delete all of the sensitive (banking, etc.) entries on each version. And then every time I add a site that multiple members may like to access, I would have to propagate it to each version.



In addition, not every family sets up individual users for each family member on their Macs. Many times, my family browse on my mac login.



Frankly, I don't really understand why this is seems to be [b]less secure[/b] by adding this functionality. In my mind, keeping the master password (mine is quite long) locked most of the day and only invoking when truly sensitive access is desired seems [b]more secure[/b] to me. I'd bet that over 50% of the passwords saved by users would not require master password access. If I were to have the ability to have no password and 4-digit security for that 50% not requiring high security, then I would have no need to follow the suggestions below that would leave the master unlocked for long periods of time. I think it is more secure for 1 Password to lock when screensaver is invoked and after short periods of inactivity rather than extending the lockout time and disabling the screensaver lock. The very nature of recommending these options, infers that people are bothered by having to enter the master password (even with a large keyboard).



I hope this makes sense, I'm not trying to complain as I think this is a phenomenal product and you all provide excellent support. I just think this would be a nice enhancement to add flexibility for others in my same situation.



Regards,

Eric

[Deleted User]

Hi Eric,



Thanks for the further thoughts on this, you do make some excellent points and I think there's really two issues here.



[quote name='Niccum' timestamp='1310251332' post='31623']

For example, allowing access to my main Netflix account so that they can add instant watch movies to the que. Seems like I would have to copy that login info into multiple versions for each family member and then maintain it if I periodically change the Netflix password.



Even if I copied the entire 1 Password database to propagate to the kids versions, I would then have to delete all of the sensitive (banking, etc.) entries on each version. And then every time I add a site that multiple members may like to access, I would have to propagate it to each version.[/quote]



This is where 1Password isn't as strong as it maybe could be, it wasn't really designed to be a multi-user application, the idea was that everyone who used 1Password would have their own data file with their own logins. I guess the nature of how we login to sites has changed over the years, I share accounts with many people including my family, and for now I do have to do a manual export of the data and have them import it and then securely delete the actual export.



We're looking into ways we can handle this with a future version of 1Password, the idea of sharing items has been something we've had a lot of requests for but the implementation of it is a lot harder than it may sound, there's security to consider as well as how the sharing takes place. That doesn't mean we're giving up, it's just that we have to be honest and say that we don't have a timeframe for when this will be.



[quote]In addition, not every family sets up individual users for each family member on their Macs. Many times, my family browse on my mac login.[/quote]



Personally, even back in my Windows days, I always setup a different user for everyone and trained them to logout of their accounts when done. For me, it means they have their own settings, backgrounds, Dock configuration etc and can't mess with my own carefully refined setup.



[quote]Frankly, I don't really understand why this is seems to be [b]less secure[/b] by adding this functionality. In my mind, keeping the master password (mine is quite long) locked most of the day and only invoking when truly sensitive access is desired seems [b]more secure[/b] to me. I'd bet that over 50% of the passwords saved by users would not require master password access.[/quote]



I think the best way to think of the master password unlock is that you're not unlocking a certain item, you're unlocking 1Password itself which is then 'allowed' to decrypt your data for a given item and fill this as you request it.



Another thing to consider is that going for a two-level unlock process would add complexity to 1Password and would mean that we'd have to completely change the way the unlocking is handled to accommodate this. For some users this would work well, but there's a huge advantage to keeping things simple and staying with the current single master password unlock on the Mac.



We believe that every password is important because, in general, every account you have will store some form of personal information about you and that means there's a potential risk of identity theft is someone got just one of those passwords.



[quote]I hope this makes sense, I'm not trying to complain as I think this is a phenomenal product and you all provide excellent support. I just think this would be a nice enhancement to add flexibility for others in my same situation.[/quote]



Feedback is vitally important to us, Eric, and the time and effort you've taken to compose your thoughts clearly shows that you want the same outcome as we do, to make 1Password even better than it is right now.



So, while sharing support is certainly on our radar for the future, a two-level security option isn't something we're planning on bringing to the desktop versions of 1Password.



Hope that helps,

[Deleted User]

[quote name='Niccum' timestamp='1310251332' post='31623']

Thanks Brandt for your quick customer support. I do already have a Family License as I thought when I originally purchased that I needed it to run the same version on multiple machines.

[/quote]



Eric,



You are very welcome! It was my pleasure.



I'm glad that you already have a family license, so you have the option to set up different accounts if you decide to go that route.



I see that Stu has replied to your very well written response, and I do not any pearls of wisdom to add to his comments.



I would like to thank you again for discussing the issue. Your opinions mean a lot to us, and it is very important to know how customers wish to use the application.



Feature requests do not always make it into future versions, but requesting the functionality is the first step toward potential inclusion.



I enjoyed reading your views, and I hope you will continue to post in the Forums. I'm confident that your inputs will be valuable to us all.



Cheers!



Brandt