Automatically change passwords on a rotating schedule

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Automatically change passwords on a rotating schedule

Postby mheffner » Thu Aug 13, 2009 11:47 am

A feature that would be really nice to have would be the ability to automatically change the passwords on my existing sites on a periodic basis -- say every three months. This would ensure that passwords are always kept up-to-date and that you never keep a password for a site the same for longer than some period (3-6 months).

Understandably, this would be difficult to do in a completely automated method as websites change their layouts regularly. However, a method by which lastpass could remind you or walk you through updating your passwords regularly would be nice. Maybe only support the completely automated modes for popular websites that can be scraped regularly and the steps automated. A standard could even be created that defined how a website could put a meta-data tag identifying the form POST URI for password changes.
mheffner
 
Posts: 2
Joined: Thu Aug 13, 2009 11:35 am

Re: Automatically change passwords on a rotating schedule

Postby Julian » Sat Aug 15, 2009 7:58 am

I've wondered about this one myself. The scope of doing it in a fully automated way is daunting to say the least, and very probably impossible, so in order to avoid this idea being written off as too difficult I'll offer a very modest suggestion as the first step to doing this which seems implementable and might go some way to addressing the request.

Implement a new notification that is sometimes displayed after the user logs into a site. The new notification would read something like ("The time limit on this password has expired, please change it and click "OK" when done"). The display of this notification would be triggered by a setting in the LastPass record for the account that allowed the user to tick an option for the account (something like "Enable password rotation reminder") and then a numeric field that says after how many days to "expire" the password.

When the user sees this notification it would then be up to him/her to navigate to the right bit of that specific site (usually somewhere under an "Account Settings" or "My Account" section) and change the password and then, when they've done that, they click the "OK" button in the notification to tell LastPass to reset the timer for the account and to dismiss the notification bar.

The above does involve UI changes to allow the user to specify the password rotation behaviour and the new type of notification needs to be quite persistent (it needs to stay around while the user navigates to the right page(s) to change their password) but it must be 100 times easier than trying to understand particular sites and do the change automatically.

- Julian
Julian
 
Posts: 189
Joined: Thu Nov 27, 2008 5:48 pm

Re: Automatically change passwords on a rotating schedule

Postby mheffner » Mon Aug 17, 2009 2:42 pm

Julian,

I agree, I think you describe an achievable milestone towards assisted password rotation.
mheffner
 
Posts: 2
Joined: Thu Aug 13, 2009 11:35 am

Re: Automatically change passwords on a rotating schedule

Postby h0pc » Tue Aug 18, 2009 1:02 am

I'm too lazy and/or busy to do any research on the topic, but does password rotation provide any real benefit if your original password is super-strong? If anyone has done the research of the benefits of password rotation, a brief synopsis would be appreciated.

-E
h0pc
 
Posts: 224
Joined: Wed Aug 27, 2008 5:27 pm

Re: Automatically change passwords on a rotating schedule

Postby viper92225 » Fri Aug 28, 2009 4:00 am

A good strong password is wonderful protection, but it does not cover all threats. The main reason for rotating a password is to deny access to anyone who has gained knowledge of your previous password. Depending on your habits and the web site in question I can think of quite a few ways that someone could gain your password:

* Key logger
* Looking over your shoulder or a video camera that can see your keyboard (mute point if using OTP to get into lastpass and lastpass to get into site)
* Giving a friend password to access your account for legit reason (if you use the same password for a long time you may forget you ever let anyone access the account)
* Website admin stealing password DB
* Website security compromised and DB stolen.


These are obviously just a few possibilities (with a range of different likelihoods), however if you rotate your passwords (and why not if lastpass will remember them for you) then you account can not be compromised for one of the above reasons for any longer then the length of time you use the same password.
viper92225
 
Posts: 1
Joined: Fri Aug 28, 2009 3:47 am


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 25 guests