Changing your password frequently could be construed as obstruction of justice (US) or perverting the course of justice (UK).
Also, if there is an automated system for sending new passwords to your local clandestine operations agency then you're simply speeding up the process of them hoovering your data.
> How hard can it be? It can already log in by itself, now it just needs to know the page where you can change your password.
The main issue is; scraping is hard and breaks at the drop of a hat. Sure you could script hourly password changes if you wanted to, but as soon as the host service modifies their forms a little, the whole system breaks and you could possibly be locked out of your account.
The only reason any of this is an issue is because we have our data and communication in the internet. That's what makes mass surveillance possible.
If you keep your data off the internet, then you're only at risk of individual surveillance. But even that's difficult; stuxnet demonstrated that even air gapped computers are at risk, because we move data around on usb sticks and the like.
So, speech and paper, or human memory, are the only really secure media.
As for all the apps we carry around in our pockets ... do you really need instant online access to your bank balance over the internet on the bus? We used to carry around checkbooks and make entries in the register. If you really need to know your balance 24/7, carry a register booklet, or a moleskin. Then you don't have to wonder if Mint et al. are giving up your passwords.
So really what we need is some kind of API design that allows for password changes that all websites should adopt. Of course that's never going to happen...
Still, if 1password made scraping work for the biggest sites out there (google, microsoft, etc) then that in itself would already be worthwhile.
1Password doesn't store your passwords, it generates them on the fly. You would need to hand over your encrypted password storage and your passphrase. Both of which 1Password has no control over.
1Password is a local, encrypted store of known passwords. Nothing is generated, except for the original passphrases themselves, which are completely random (not from a seed).
Yeah, I was a little too quick in writing that. What I meant to write was that 1. passwords are stored locally and 2. you have the option to generate passwords with predefined complexity parameters. It would be possible to use this password generating feature to update your passwords automatically at a set interval.
I mean couldn't they just request direct access to the database without going through the pain of cracking your password? They can probably run the sql query on their own and get whatever they need.
I think the point here is that feds don't want to have to ask access to companies, or even getting noticed.
Operating directly on the database means either :
* requesting a dump that get quickly deprecated
* having a direct access to database, which can be traced
Using common interface, you can use it without rising any flags, except if companies specifically implement warning feature for known NSA/feds/whatever ips.
The best of that is that many people use the same password for several websites. So, having one, you may access data on an other website without the company knowing it.
As it becomes more and more clear big companies are fighting agencies here, decyphering passwords and using them abroad makes perfect sense.
Say they ask Amazon for your password, if you reuse the same password elsewhere like 99% of people, then they can access all your other accounts without any permission to ask. In this scheme, only one 'traitor' company compromises all others. People should really use unique passwords.
