May I ask what your gripes with the cloud are, especially in situations where you encrypt the data to be stored and the cloud provider has no knowledge of the encryption keys?
Does the cloud provider have knowledge of the encryption keys? Do you generate the key in the provider's application, or is it import? Do they send the key to their servers? Can you verify all of this?
The encryption keys are supposed to be generated client side. Obviously you can’t verify this since 1password is closed source, but if your threat model involves the client misbehaving, then you should be using any proprietary password manager. Cloud vs not Cloud is irrelevant.
There is no way we would want to know your keys. There are several million 1Password accounts and 1Password a huge attack target. All keys are generated on the client side and encrypted with a PBKDF2-hardened combination of Master Password + Secret Key.
Which is a fine mentality for personal passwords -- at least I get where the distrust comes from.
But for an enterprise team (or just a team), you need to be able to share passwords with various team members.
Without a system, you're left with each of those people having to use their own (often insecure) personal methodology. Without a password manager, people resort to very simple passwords, or reusing passwords across multiple systems, or writing passwords down on PostIt notes next to their monitors.
Without the convenience of a cloud-based system, you don't have an easy way to back up your passwords -- what happens if someone gets hit by a bus? And you can't easily have someone run compliance to verify when the last time was you updated your password, or how complex your passwords are -- at least not without showing them the raw passwords in all systems.
I get paranoia... but any team that runs a password manager service consistently for all users will be much more secure than any team that doesn't.
I don’t anticipate on-prem being available for individuals; there is simply too much infrastructure required. But for businesses this may be possible in the future. Please reach out to our business team at `business@1password.com` if you are interested. - Ben, AgileBits
There is a wide spectrum between password-on-PostIt and cloud-based third-party service.
A password-manager accessing a version-controlled master file on the LAN, for example. Which can not only be firewalled nice and tight but is also resilient to xloud-provider going out of business or changing their ToS.
1Password has a whitepaper and explanation of their system end-to-end where they state very unequivocally that they don't have the key and only store/sync your encrypted blob. They could be lying about that, but they are an established business with literally everything to lose if they are caught making such a bone-headed mistake.
Can you really trust the company? What about each and every one of the employees that touch the code? Can you trust their Government not to have asked them for a backdoor?
I don't think I can trust a password manager that isn't open source. Cloud or not.
Can you trust the manufacturer of your personal devices?
Sooner or later you're trusting somebody, unless you literally smelted your own machine starting from ore and a bucket of sand, and then wrote every line of code for it, including the compiler, yourself.
Maybe you should inventory all the entities you're trusting already.
Local vaults is completely client side encrypted, so you didn't have to trust dropbox or iCloud if you used that to sync.
The only major vuln are the updates, and that would have to be a backdoor delivered to everyone, otherwise the mismatched hashes would be noticeable. The surface area is smaller with the client side encrypted version.
Why does it need me to create an account? What's the technical reason? My ye olde 1Password (pre-cloud) doesn't need an account, and stores its database in iCloud or on Dropbox using the accounts I already have there.
I've been interested in migrating to bitwarden for a while, but I've been hesitant because I don't know how much I can trust it. Mostly, I was looking for an independent security audit. I took another look today and found a GitHub issue on the subject [1] and they're working with researchers on HackerOne [2].
Under tools(the hammer & Wrench icon), select "Bitwarden App Extension", and it will show up in the share sheet for safari/etc. I assume similar happens on Android, but I dunno.
This seemed like a nice software to manage my passwords so I decided to give it a try and install it on my Synology NAS.
However, two things put me off about it.
1) I wanted to install it via Docker App that comes pre-installed on my NAS so that I can use its GUI to make necessary hosting configurations. I searched for the keyword 'bitwarden' on DockerHub and found multiple images created by Bitwarden's company with different names such as "bitwarden/web, bitwarden/api, bitwarden/setup, bitwarden/server, bitwarden/admin" [1] and all have the same description which basically tells you to go to their website for more information about self-hosting it.
And unfortunately they don't have any information regarding which one of those images is the one that needs to be installed for self-hosting. All it says on the documentation is how to install it via terminal and pulling the image from GitHub.
2) The other thing, which is more important than the first one, is having to give them an email address and get a unique installation id and key [2] for self-hosting it. I understand that they probably see it as an easy way for upgrading your license for premium features [3] if you choose to do so later on but it kind of kills the idea of self-hosting it on my own server and wanting to have nothing to do with the company other than using their open-source software for me.
They may be right for saying 'It's really free, not a fake "free trial free"' on their website but what they're not directly telling you is that it actually is a freemium [4] software if wish to self-host it under these circumstances.
Instead of dropbox, I'd recommend using something decentralized like Syncthing. I have a similar setup and recently changed to using Syncthing to keep my password database synced on all my devices.
I do find $36/yearly for a single licence quite alot for this kind of tool.
This is the kind of product that's so feature rich already, I would not need real new features built in. And storing a few passwords takes no diskspace either.
I'm using the non-cloud version, that sync with Dropbox, but suspect 1password of deliberately having it syncing poorly to push us to the cloud version.
I'm on the opposite end of the spectrum. I find $36/yearly a bargain for the value their product provides. 1Password is one of those tools I couldn't imagine my life without. And $36 is a small price to pay to have my online identity a little safer and more manageable.
For me the product is quite feature finished as it is (even before their cloud option came), and in general I dislike subscriptions.
I don't mind paying for software upgrades, and new versions. But all these companies counting on sleepwalking subscription models, oh hey, call me oldschool.
Bitwarden's pricings seem much more reasonable, going to check it out.
I also find $36 yearly to be a highly reasonable bargain for any company which has the reputation and credibility, but for an unknown company, I don't know if I'd pay <free> for them to keep my passwords. Arguably, a credible reputation is as valuable as the security product itself, which most people can't evaluate.
Last month i gave up my dinosaur status (using a ciphered pen and paper notebook for managing my passwords) and started using Lastpass.
To be honest, i still feel a bit wary about keeping my password in the cloud, but LastPass has been so amazingly convenient, it's well worth the risk. To be extra certain incase of an undisclosed breach, I 2FA everything that has a 2FA option. I know i'm very late to the ballpark, but i'd rather corporate organizations add Password Managers to their policies instead of forcing everyone to change ever so often and worsening the situation.
As long as PCI, or ISO 27001, continue to require password rotation policies, it will be hard to implement for some companies, depending on the infrastructure and who has access to what. Hopefully we will see more things following the NIST guidelines, since it's a pretty ineffective way of ensuring security.
Hacker news, never change. Company gives away product for free to opensource teams... and almost all of the comments are complaints. :)
I get it. For some this will never be an acceptable solution. As a happy subscriber of the family plan, I can only say that this has appreciably improved the security of my family online. I'm happy to pay the subscription fee because I think that's the most sustainable business model for a software company.
In any case: "Hey 1Password, thanks for giving away free licenses to opensource projects."
59 comments
[ 3.5 ms ] story [ 127 ms ] threadSimilarly, you wouldn't store your Twitter, Facebook, NPM, Hex, etc. accounts in AWS Secret Manager. You'd use 1Password for that use case.
1Password is a password manager for humans :)
Presumably free.
> Memberships can be renewed each year if your project still meets the requirements.
Details are here: https://1password.com/security/ Whitepaper (PDF): https://1password.com/teams/white-paper/
But for an enterprise team (or just a team), you need to be able to share passwords with various team members.
Without a system, you're left with each of those people having to use their own (often insecure) personal methodology. Without a password manager, people resort to very simple passwords, or reusing passwords across multiple systems, or writing passwords down on PostIt notes next to their monitors.
Without the convenience of a cloud-based system, you don't have an easy way to back up your passwords -- what happens if someone gets hit by a bus? And you can't easily have someone run compliance to verify when the last time was you updated your password, or how complex your passwords are -- at least not without showing them the raw passwords in all systems.
I get paranoia... but any team that runs a password manager service consistently for all users will be much more secure than any team that doesn't.
* Most Private And Secure Password Managers - Secured.fyi - Alpha || https://secured.fyi/password.html
* Best Password Manager 2018 - Lastpass vs. Dashlane vs. 1Password || https://www.tomsguide.com/us/best-password-managers,review-3...
There is a wide spectrum between password-on-PostIt and cloud-based third-party service.
A password-manager accessing a version-controlled master file on the LAN, for example. Which can not only be firewalled nice and tight but is also resilient to xloud-provider going out of business or changing their ToS.
I don't think I can trust a password manager that isn't open source. Cloud or not.
Can you trust the manufacturer of your personal devices?
Sooner or later you're trusting somebody, unless you literally smelted your own machine starting from ore and a bucket of sand, and then wrote every line of code for it, including the compiler, yourself.
Maybe you should inventory all the entities you're trusting already.
The only major vuln are the updates, and that would have to be a backdoor delivered to everyone, otherwise the mismatched hashes would be noticeable. The surface area is smaller with the client side encrypted version.
It was really difficult in the beginning to earn the trust but 1Password is now over 13 years old and there are over 15 million users.
We started 1Password Teams project in 2015 and since then we had several external audits: https://support.1password.com/security-assessments/
We are currently in the process of completing the SOC 2 compliance audit.
We also have the highest paid bug bounty program in BugCrowd: https://bugcrowd.com/agilebits
https://bitwarden.com/
[1] https://github.com/bitwarden/core/issues/27
[2] https://hackerone.com/bitwarden
https://blog.bitwarden.com/bitwarden-the-oreo-autofill-frame...
1) I wanted to install it via Docker App that comes pre-installed on my NAS so that I can use its GUI to make necessary hosting configurations. I searched for the keyword 'bitwarden' on DockerHub and found multiple images created by Bitwarden's company with different names such as "bitwarden/web, bitwarden/api, bitwarden/setup, bitwarden/server, bitwarden/admin" [1] and all have the same description which basically tells you to go to their website for more information about self-hosting it. And unfortunately they don't have any information regarding which one of those images is the one that needs to be installed for self-hosting. All it says on the documentation is how to install it via terminal and pulling the image from GitHub.
2) The other thing, which is more important than the first one, is having to give them an email address and get a unique installation id and key [2] for self-hosting it. I understand that they probably see it as an easy way for upgrading your license for premium features [3] if you choose to do so later on but it kind of kills the idea of self-hosting it on my own server and wanting to have nothing to do with the company other than using their open-source software for me. They may be right for saying 'It's really free, not a fake "free trial free"' on their website but what they're not directly telling you is that it actually is a freemium [4] software if wish to self-host it under these circumstances.
[1] https://hub.docker.com/r/bitwarden/ [2] https://bitwarden.com/host/ [3] https://help.bitwarden.com/article/licensing-on-premise/ [4] https://en.wikipedia.org/wiki/Freemium
https://github.com/jcs/bitwarden-ruby https://github.com/VictorNine/bitwarden-go
but to run the bitwarden-blessed one see: https://help.bitwarden.com/article/install-on-premise/
https://keepassxc.org/
https://itunes.apple.com/us/app/minikeepass/id451661808
This is the kind of product that's so feature rich already, I would not need real new features built in. And storing a few passwords takes no diskspace either.
I'm using the non-cloud version, that sync with Dropbox, but suspect 1password of deliberately having it syncing poorly to push us to the cloud version.
I don't mind paying for software upgrades, and new versions. But all these companies counting on sleepwalking subscription models, oh hey, call me oldschool.
Bitwarden's pricings seem much more reasonable, going to check it out.
However, I have to disagree about the "feature finished". We had a lot of customer feedback over the years and 1Password Teams is based on it.
So, um....
I can literally walk around SF for 5 minutes and find a dime on the ground and then pay for 1Password.
How in the world is that too expensive?
To be honest, i still feel a bit wary about keeping my password in the cloud, but LastPass has been so amazingly convenient, it's well worth the risk. To be extra certain incase of an undisclosed breach, I 2FA everything that has a 2FA option. I know i'm very late to the ballpark, but i'd rather corporate organizations add Password Managers to their policies instead of forcing everyone to change ever so often and worsening the situation.
I get it. For some this will never be an acceptable solution. As a happy subscriber of the family plan, I can only say that this has appreciably improved the security of my family online. I'm happy to pay the subscription fee because I think that's the most sustainable business model for a software company.
In any case: "Hey 1Password, thanks for giving away free licenses to opensource projects."
Thank you, AgileBits - much appreciated!