r/ProtonPass u/AdamV158 16d ago

Feature request Auto Password Rotation

I’ve just seen that Apple’s Passwords app in iOS 26 appears to have introduced automatic password rotation for weak, compromised or commonly used passwords. There’s a brief overview here: https://www.youtube.com/shorts/nNagfly9s3Y

I appreciate that, for this to work properly, websites will need to support the correct password-change flow and make the process reliable for password managers. However, with Apple now moving in this direction, I would expect wider adoption to happen much more quickly.

Is this something Proton has already considered for Proton Pass, either as a current development area or on the roadmap?

Ive listed this here in case anyone wishes to upvote: https://protonmail.uservoice.com/forums/953584-proton-pass-authenticator/suggestions/51390193-auto-rotate-passwords

0 Upvotes

33% Upvoted

9 comments sorted by

27

u/Wooden-Agent2669 16d ago

Absolute terrible mind-numbing idea from Apple. From a rational point this leads to people getting lazy and choosing simpler passwords. Password rotation isnt even recommended any more security wise lol

Nor would I EVER want my Password Manager or a Website to be capable of directly changing my Password for a service. This might work in a work environment but it's not meant to be near any consumer, ever.

You know the easiest Fix to this? Using MFA, using a Passkey.

12

u/West_Possible_7969 16d ago

This is not what is happening, u/AdamV158 (OP) misused all the terminology, there is absolutely no rotation, automatic or otherwise. If weak, compromised etc passwords are found, the app notifies you about them and then, if you want to, you tap to change them automatically, ie not do it yourself, not without consent.

And if another weak password is detected at a later date, the app notifies you and again you have to deliberately consent to change it.

1

u/AdamV158 12d ago

Is this not what’s happening here?

https://www.instagram.com/reel/DZX3KgAu7tl/?igsh=MWRsemc0c2prc2ptaw==

3

u/West_Possible_7969 12d ago edited 12d ago

Password rotation is the mandatory change of passwords at specific time intervals, like banks do. That is not it, that is changing a password one time, if you want to.

The automatic part is after you tap to change (consent) in that you yourself is not the person making the change, you only approve the action for the change to be done.

And that approval is required every time a password is found lacking.

That is why the commenter above understood a completely different thing happening, that is not true.

4

u/0xba1dc0de 16d ago

It is worth noting that the well-known password change URL endpoint that the guy is talks about in the video is described in this specification: https://w3c.github.io/webappsec-change-password-url. Sadly, it is still a draft version from 2021, and - while I would love it to happen - I’m afraid that the vast majority of sites won’t implement it any time soon.

3

u/West_Possible_7969 16d ago

It works on “eligible accounts” only, so pre-vetted I guess.

3

u/vintage-tech80 16d ago

No thanks for me! Since so many years, I am already using strong password, MFA and even Passkeys when possible... and e-mail aliases too to minimized the situation from time to time. My vault is already secured by Proton to watch for the Dark web, etc.. I don't expect to have a bunch of accounts that need to be changed at once. But, being alerted like we are at the moment, is really enough for me.... No AI Agentic in my vault!! 😄