I was a booster until they added a terrible feature to bypass master password on smartphone app with pin.

Previously, with every restart of the phone, you needed to enter master. After, only when the pin is misentered once. They added this ‘new feature’ right when I was installing everything on a new personal laptop. As I recall it, I was entering the master password on my phone, over and over. One of the characters had a shift, which was a pain in the . On iPhone. So I made it lower case. Then, I updated my phone, got the 1password update, and didn’t enter the master for over a month.

Finally, I misentered the pin, and got kicked to the master. Well, you can guess what happened. I was locked out.

You know, a password works because you remember it. My situation revealed the design flaw of bypassing that. If you don’t enter the master for a long time, you lose the habit and increase the risk of losing it.

For me this is the classic example of the corrosive drive to renew a perfectly good product, which ruins the product for some users. But as a designer, I think it’s a fail, but you can’t tell them that.

This is why I like the Authy client on mobile. It periodically asks you for your encryption password just to make sure you can still remember it. Such a thoughtful idea.

I guess if you only ever use the mobile app, but still there's a desktop app and the browser extension to practice your memory.

The pin thing is a big time saver because typing on mobile still sucks, and I'd have to re-type the master everytime I switch between an app and 1Pass. I certainly wouldn't qualify it as a bad feature.

I'm not saying the pin is a 'bad' feature (in fact, I'm using BitWarden now. It uses the same UI pattern [1]). The 'feature enhancement' I'm miffed about is when the master is only ever required when you fail at the pin screen, whereas previously you needed the master after every restart of iPhone.

It's a complex system. I had a use-pattern that naturally emerged from the UI (which required the master after reboot), and my habit of turning off my phone every night. So this "feature enhancement" seemed innocuous, but had, I would argue, the unintended consequence that I lost my memory of the master because of a new feature.

I believe this is exactly the sort of thing a smart company, making a security product, should think about before they decide to add a "feature enhancement".

I mistook the great design of the original 1Password product as an indication of a "smart company" who made great decisions, and great products through testing and design.

Now I feel differently. Now I just see another one-hit wonder, who makes improvements by the wiz-bang theory. New! New! New and improved!

The unpopular decisions to drop the standalone version (local vault) is just more evidence to me that AgileBits isn't special. I put them on a pedestal with devotion and evangelism, but they're no different, and maybe worse.

And if you like this rant, you might also like my rant on TransitApp. hahah!

[1]: Before with 1Password I would have to enter the master once every 1-2 weeks. Now with Bitwarden using the same 1-fail bin to master UI, I think I've not defaulted into master for, I dunno, 6-8 months? But I've learned my lesson. I wrote the master on a piece of paper and tucked it away in a book somewhere on my bookshelf. What could go wrong?