Rotating passwords is only important if the site has been compromised (or you've been compromised, such as being phished). For the former, 1Password already has the Watchtower functionality where it tells you if a site is known to have been compromised since your password was generated, and for the latter, well, if you're being phished then you'll probably figure it out pretty quickly when the attacker steals your account.
In any case, if you really want to rotate passwords, 1Password has a "Security Audit" section with sections for "3+ years old", "1-3 years old", and "6-12 months old" passwords (and duplicate passwords, and weak passwords, and watchtower alerts), so you can rotate if you want to.
Rotating credentials is also important as an additional layer of security to prevent misuse.
Sadly, currently this all is highly theoretical. The first thing we should focus on is getting 2FA (TOTP/HOTP or U2F) authenticated login on every service that doesn’t use OIDC. Even this very site, HN, has no such functionality (@dang, @pg: Why?)
This is a much more important first step, and once that’s fixed, we can look at improving credential rotation, and providing global SSO with browser credentials.
I'd wager HN doesn't have 2FA because there's not much damage you could do if you compromised someone's HN account. At best you can pretend to be someone else for a bit, but in most cases that's harmless. There's only a handful of accounts I can think of where it would be problematic if someone started impersonating them.
I work in online gambling and 2FA is a feature everyone says they want but doesn't use because it's annoying. Just query the amount of users actually using 2FA on your site if you've set it up. Now compare it to the number of people who said that they can't take your site seriously until you have it.
I'm not saying 2FA is bad, but these people like the person above lives in a hilarious bubble if they think a website like HN is missing out by not having it.
It comes off as concern-masturbation, if I may be so vulgar.
By the way, the best thing we did for security across our gambling network is to generate passwords for users. Nobody uses 2FA, and the people that use it aren't the ones that need help. But everyone reuses passwords.
I think MFA is important and have it enabled for every service that offers it, but we have MFA set up for our CLI access to AWS and I used to let out a volume of curses frequently when my token expired.
I eventually ended up adding a bash alias “damn”[0] that pipes my current MFA token into the AWS CLI so whenever it expires I can just type “damn” and be logged back in.
I like the magic link approach Slack and Medium use - although I have frequently cursed the inconvenience of having to log into gmail.
As someone who uses a Yubikey for physical 2FA, I happily use it for things like my email and Github but then I just click trust the device for X days because, yeah, it can be a pain every time.
I'm moving to KeepassXC currently and if you use a Yubikey challenge, you (by default) have to press it anytime you save or update a record which is a big pain. I think you can change it but I worry it might crash (I'm running unstable for the browser extension) or I might forget to save
Personally, I use Yubikey or TOTP (with RedHat’s FreeOTP) for everything.
But that can only work if most services you’re using are using SSO, and you rarely need to reauth. I need to reauth every time I log in, every time I want to authorize a new service, or modify server, DNS or storage settings.
This only works well because I’m self-hosting 90% of the services I use, and they use a Keycloak as identity provider, and then don’t have to handle identity themselves.
This is why I’d prefer to see more identity federation – ideally the tokens the services see are short-lived, but the user doesn’t have to re-login every time either.
In any case, if you really want to rotate passwords, 1Password has a "Security Audit" section with sections for "3+ years old", "1-3 years old", and "6-12 months old" passwords (and duplicate passwords, and weak passwords, and watchtower alerts), so you can rotate if you want to.