59 comments

[ 3.5 ms ] story [ 127 ms ] thread
Looks like a good alternative to AWS Secret manager https://aws.amazon.com/secrets-manager/
AWS Secret Manager is for application code to retrieve secrets for different services (e.g. API Keys, DBs, etc). You can't use 1Password for that.

Similarly, you wouldn't store your Twitter, Facebook, NPM, Hex, etc. accounts in AWS Secret Manager. You'd use 1Password for that use case.

Free 1 year membership membership only? Am i reading that correctly
"Memberships can be renewed each year if your project still meets the requirements. Email us at ______ 30 days prior to renewal."

Presumably free.

No

> Memberships can be renewed each year if your project still meets the requirements.

Can't trust passwords being stored in the cloud.
May I ask what your gripes with the cloud are, especially in situations where you encrypt the data to be stored and the cloud provider has no knowledge of the encryption keys?
Does the cloud provider have knowledge of the encryption keys? Do you generate the key in the provider's application, or is it import? Do they send the key to their servers? Can you verify all of this?
The encryption keys are supposed to be generated client side. Obviously you can’t verify this since 1password is closed source, but if your threat model involves the client misbehaving, then you should be using any proprietary password manager. Cloud vs not Cloud is irrelevant.
Which is a fine mentality for personal passwords -- at least I get where the distrust comes from.

But for an enterprise team (or just a team), you need to be able to share passwords with various team members.

Without a system, you're left with each of those people having to use their own (often insecure) personal methodology. Without a password manager, people resort to very simple passwords, or reusing passwords across multiple systems, or writing passwords down on PostIt notes next to their monitors.

Without the convenience of a cloud-based system, you don't have an easy way to back up your passwords -- what happens if someone gets hit by a bus? And you can't easily have someone run compliance to verify when the last time was you updated your password, or how complex your passwords are -- at least not without showing them the raw passwords in all systems.

I get paranoia... but any team that runs a password manager service consistently for all users will be much more secure than any team that doesn't.

* Most Private And Secure Password Managers - Secured.fyi - Alpha || https://secured.fyi/password.html

* Best Password Manager 2018 - Lastpass vs. Dashlane vs. 1Password || https://www.tomsguide.com/us/best-password-managers,review-3...

It's pretty much the old on-prem vs off-prem argument, and for some people & organizations, on-prem is non-negotiable.
I don’t anticipate on-prem being available for individuals; there is simply too much infrastructure required. But for businesses this may be possible in the future. Please reach out to our business team at `business@1password.com` if you are interested. - Ben, AgileBits
> Without the convenience of a cloud-based system

There is a wide spectrum between password-on-PostIt and cloud-based third-party service.

A password-manager accessing a version-controlled master file on the LAN, for example. Which can not only be firewalled nice and tight but is also resilient to xloud-provider going out of business or changing their ToS.

1Password has a whitepaper and explanation of their system end-to-end where they state very unequivocally that they don't have the key and only store/sync your encrypted blob. They could be lying about that, but they are an established business with literally everything to lose if they are caught making such a bone-headed mistake.
Can you really trust the company? What about each and every one of the employees that touch the code? Can you trust their Government not to have asked them for a backdoor?

I don't think I can trust a password manager that isn't open source. Cloud or not.

Can you trust your hosting company?

Can you trust the manufacturer of your personal devices?

Sooner or later you're trusting somebody, unless you literally smelted your own machine starting from ore and a bucket of sand, and then wrote every line of code for it, including the compiler, yourself.

Maybe you should inventory all the entities you're trusting already.

Local vaults is completely client side encrypted, so you didn't have to trust dropbox or iCloud if you used that to sync.

The only major vuln are the updates, and that would have to be a backdoor delivered to everyone, otherwise the mismatched hashes would be noticeable. The surface area is smaller with the client side encrypted version.

Do you trust your client? Oh, you compiled it yourself. Do you trust your compiler? And so on and so forth.
Data is encrypted client side with 1Password.com as well. -Ben, AgileBits
This is a good question.

It was really difficult in the beginning to earn the trust but 1Password is now over 13 years old and there are over 15 million users.

We started 1Password Teams project in 2015 and since then we had several external audits: https://support.1password.com/security-assessments/

We are currently in the process of completing the SOC 2 compliance audit.

We also have the highest paid bug bounty program in BugCrowd: https://bugcrowd.com/agilebits

Trust is earned. Many of us (myself included) feel that 1Password has earned that trust. Don’t let us down :-)
considering using and supporting the open source bitwarden project instead.

https://bitwarden.com/

Why does it need me to create an account? What's the technical reason? My ye olde 1Password (pre-cloud) doesn't need an account, and stores its database in iCloud or on Dropbox using the accounts I already have there.
It's a web service. You can host it yourself.
(comment deleted)
(comment deleted)
I've been interested in migrating to bitwarden for a while, but I've been hesitant because I don't know how much I can trust it. Mostly, I was looking for an independent security audit. I took another look today and found a GitHub issue on the subject [1] and they're working with researchers on HackerOne [2].

[1] https://github.com/bitwarden/core/issues/27

[2] https://hackerone.com/bitwarden

Running a bug bounty is not the same thing as getting an independent security audit.
That's quite the understatement.
Yes, but there's discussion in the issue that I linked to about raising funds for an independent audit.
Their mobile app appears to only offer copy paste. It'd be nice if they had a custom keyboard or some cross app integration.
Under tools(the hammer & Wrench icon), select "Bitwarden App Extension", and it will show up in the share sheet for safari/etc. I assume similar happens on Android, but I dunno.
Business plan's pricing is attractive to small businesses in Latin America. Thanks for sharing the link. I will implement it in my company.
This seemed like a nice software to manage my passwords so I decided to give it a try and install it on my Synology NAS. However, two things put me off about it.

1) I wanted to install it via Docker App that comes pre-installed on my NAS so that I can use its GUI to make necessary hosting configurations. I searched for the keyword 'bitwarden' on DockerHub and found multiple images created by Bitwarden's company with different names such as "bitwarden/web, bitwarden/api, bitwarden/setup, bitwarden/server, bitwarden/admin" [1] and all have the same description which basically tells you to go to their website for more information about self-hosting it. And unfortunately they don't have any information regarding which one of those images is the one that needs to be installed for self-hosting. All it says on the documentation is how to install it via terminal and pulling the image from GitHub.

2) The other thing, which is more important than the first one, is having to give them an email address and get a unique installation id and key [2] for self-hosting it. I understand that they probably see it as an easy way for upgrading your license for premium features [3] if you choose to do so later on but it kind of kills the idea of self-hosting it on my own server and wanting to have nothing to do with the company other than using their open-source software for me. They may be right for saying 'It's really free, not a fake "free trial free"' on their website but what they're not directly telling you is that it actually is a freemium [4] software if wish to self-host it under these circumstances.

[1] https://hub.docker.com/r/bitwarden/ [2] https://bitwarden.com/host/ [3] https://help.bitwarden.com/article/licensing-on-premise/ [4] https://en.wikipedia.org/wiki/Freemium

How I roll: KeePassXC + browser plugin + MiniKeePass + Dropbox

https://keepassxc.org/

https://itunes.apple.com/us/app/minikeepass/id451661808

Glad it's working for you as a trust no one solution. But does it concern you that you're telling the world your op sec?
And for android : Keepass2Android is very good
Instead of dropbox, I'd recommend using something decentralized like Syncthing. I have a similar setup and recently changed to using Syncthing to keep my password database synced on all my devices.
Thanks! Actually never heard about Syncthing, looks really good!
I do find $36/yearly for a single licence quite alot for this kind of tool.

This is the kind of product that's so feature rich already, I would not need real new features built in. And storing a few passwords takes no diskspace either.

I'm using the non-cloud version, that sync with Dropbox, but suspect 1password of deliberately having it syncing poorly to push us to the cloud version.

I'm on the opposite end of the spectrum. I find $36/yearly a bargain for the value their product provides. 1Password is one of those tools I couldn't imagine my life without. And $36 is a small price to pay to have my online identity a little safer and more manageable.
For me the product is quite feature finished as it is (even before their cloud option came), and in general I dislike subscriptions.

I don't mind paying for software upgrades, and new versions. But all these companies counting on sleepwalking subscription models, oh hey, call me oldschool.

Bitwarden's pricings seem much more reasonable, going to check it out.

There is still an option to purchase a license.

However, I have to disagree about the "feature finished". We had a lot of customer feedback over the years and 1Password Teams is based on it.

I want to pay the $36 a year and not use their cloud.
In this case you can still purchase a license. It is less convenient but the option is there.
1Password 7 Beta supports local vaults
Do you have to use the single license edition and buy one for each OS or are you forced to use the cloud instance if you get the subscription?
Licenses are still available. It is also possible to pay the subscription and use local vaults, though this would not be recommended. - Ben, AgileBits
I also find $36 yearly to be a highly reasonable bargain for any company which has the reputation and credibility, but for an unknown company, I don't know if I'd pay <free> for them to keep my passwords. Arguably, a credible reputation is as valuable as the security product itself, which most people can't evaluate.
$36 yearly $3 monthly $.75 weekly $.10 daily

So, um....

I can literally walk around SF for 5 minutes and find a dime on the ground and then pay for 1Password.

How in the world is that too expensive?

Last month i gave up my dinosaur status (using a ciphered pen and paper notebook for managing my passwords) and started using Lastpass.

To be honest, i still feel a bit wary about keeping my password in the cloud, but LastPass has been so amazingly convenient, it's well worth the risk. To be extra certain incase of an undisclosed breach, I 2FA everything that has a 2FA option. I know i'm very late to the ballpark, but i'd rather corporate organizations add Password Managers to their policies instead of forcing everyone to change ever so often and worsening the situation.

As long as PCI, or ISO 27001, continue to require password rotation policies, it will be hard to implement for some companies, depending on the infrastructure and who has access to what. Hopefully we will see more things following the NIST guidelines, since it's a pretty ineffective way of ensuring security.
Hacker news, never change. Company gives away product for free to opensource teams... and almost all of the comments are complaints. :)

I get it. For some this will never be an acceptable solution. As a happy subscriber of the family plan, I can only say that this has appreciably improved the security of my family online. I'm happy to pay the subscription fee because I think that's the most sustainable business model for a software company.

In any case: "Hey 1Password, thanks for giving away free licenses to opensource projects."

Could not have said it better myself!

Thank you, AgileBits - much appreciated!