Thoughts on 1Password auto-lock

I have some sensitive work stuff on my computer, and I’d like to secure that as well as practicable, but I HATE that I have to keep reauthenticating with 1Password whenever I unlock my computer.
I’ve already logged on, and I never leave my computer unlocked. In fact, I lock it when someone starts talking to me at the office - it’s automatic. And that’s the problem - I lock it so often that every time I need 1Password I find that I need to unlock it again!!

So how does it help me that 1Password locks itself? Seriously - is there some additional effect I’m unaware of, or should I just disable auto-lock?

1 Like

this is the main reason why I bought the Apple keyboard with touch ID, saved so much time. Especially if you have a really long and strong main password for 1P.

4 Likes

In the desktop app, go to Preferences > Security - set it to Require Master Password Every: 2 Weeks

That’s as long as you can set it, evidently. It seems as if this controls the behavior of the browser extension as well.

It also seems, to me, that this changed recently. I rarely had to re-enter the master password for a long time, but not too long ago it started happening more frequently. I think.

4 Likes

It can also be unlocked with an Apple watch for those of us who don’t like Apple keyboards.

3 Likes

OK, so no one thinks this actually increases security?

What if this is grayed out? I cannot figure out why this is the case. Any input on this?

It does, it just does so in a counterproductive way if your machine is secured and additional friction makes you averse to using your password manager. I also have good screen locking discipline, so I don’t authenticate often on devices only I control. On the other hand, I have 1Password on an account I occasionally share with other people, and I have it set to require a fingerprint either most or all of the time. Adjusting this per device helps make sure the security-convenience tradeoff is closer to optimal, everywhere.

It depends on a few things, but it potentially increases security: When 1Password is unlocked there is a greater chance that other software that you’re running could access your stored secrets. Given that viewing any non-trival web page is literally downloading software from an external source and running it in your browser (which is often configured to be able to access 1Password), locking 1Password frequently isn’t the worst security idea out there.

Likewise, any app that has been granted accessibility control could also be used to access your (unlocked) 1Password data if it becomes subverted.

These things aren’t especially likely, but given the information that’s stored in 1Password, the payoff for a successful attack could be high and the effort required is relatively low.

I’m in favour of locking frequently and using biometric identifiers (TouchID or FaceID) to unlock on demand. I may be a touch over cautious, but that caution comes from seeing increasing frequency, sophistication, and automation in information system attacks.

1 Like

I have this set to 10 minutes. I can’t imagine any of my billion passwords being compromised by a rogue malicious actor or my wife. Lol

2 Likes

wow - no idea…Google has let me down too