Apple To Deploy 1Password To All 123,000 Employees; In Talks To Acquire Password Manager's Parent-Firm AgileBits: Report (bgr.com) 104
Jonathan S. Geller, reporting for BGR: Apple acquires an average of 15 to 20 companies a year, according to CEO Tim Cook. Of that number, we only hear about a couple, as most of these acquisitions or aqcui-hires are not consumer-facing, nor disclosed. However, we have exclusively learned that Apple is planning an interesting partnership and a potential acquisition of AgileBits, maker of the popular password manager 1Password.
According to our source, after many months of planning, Apple plans to deploy 1Password internally to all 123,000 employees. This includes not just employees in Cupertino, but extends all the way to retail, too. Furthermore, the company is said to have carved out a deal that includes family plans, giving up to 5 family members of each employee a free license for 1Password. With more and more emphasis on security in general, and especially at Apple, there are a number of reasons this deal makes sense. We're told that 100 Apple employees will start using 1Password through this initiative starting this week, with the full 123,000+ users expected to be activated within the next one to two months. Update: In a statement, 1Password said rumors of its acquisition were "completely false."
According to our source, after many months of planning, Apple plans to deploy 1Password internally to all 123,000 employees. This includes not just employees in Cupertino, but extends all the way to retail, too. Furthermore, the company is said to have carved out a deal that includes family plans, giving up to 5 family members of each employee a free license for 1Password. With more and more emphasis on security in general, and especially at Apple, there are a number of reasons this deal makes sense. We're told that 100 Apple employees will start using 1Password through this initiative starting this week, with the full 123,000+ users expected to be activated within the next one to two months. Update: In a statement, 1Password said rumors of its acquisition were "completely false."
Thank goodness (Score:1)
Re: (Score:2)
I do use 1Password and I'm not terribly happy with this. 1P integrates well with OS X (and iOS and Windows). Agile bits is small, so far reasonably well behaved firm (not terribly happy with the attempt at subscription pricing but I think that ship sailed a while back).
I don't use iCloud. I use Dropbox.
I don't use Pages. I use Word.
I don't want Apple to swallow up everything, thankyouverymuch.
Re: (Score:2, Interesting)
I don't use 1Password but might if Apple bought it. As far as I have to trust third parties with my data I trust Apple, but 'Agile Bits'...? They may be extremely competent and morally beyond reproach but I have no way of knowing that.
Re: (Score:2)
This. Since there is no vetting or third party certification, all their password data could be sitting on a public S3 bucket, with the password used for authentication and all zeroes used for AES "encryption". At least LastPass documents what they do, and their security is proven.
What would be ideal is that each endpoint generates and stores their own private key, and is "introduced" to each other via another device. That way, the cloud provider doesn't even have password hashes that can be brute forced.
Re:Thank goodness (Score:5, Informative)
1Password is actually fine as far as 3rd party concerns go. You can use their internal cloud to store your password archive, or one of many other cloud services, or even keep the archive in local storage and NOT in the cloud. The password archive is a file. You can put it anywhere you put any other file. The trust for this location is entirely up to you. If you trust Apple, put the archive into iCloud and you're solid.
I've been using the program for several years. I'm quite happy to see Apple using it. They could choose from any password tool on the market. I'm sure they extensively vetted the alternatives before picking 1Password. If it's secure enough for Apple, I feel safe trusting it as well.
Re: (Score:1)
I don't use iCloud. I use Dropbox.
You trust the company that has Condoleezza Rice [dropbox.com] on its board over the company that has pushed back against the FBI on privacy so much that their conflict has its own wikipedia page [wikipedia.org]? Really?
Re: (Score:2)
Nope. Don't trust nobody. Dropbox, Apple, Google. Anything remotely interesting is encrypted before it hits Dropbox.
If Condoleezza really wants my scheduling matrices, draft reports and the other impedimenta of my life, they're welcome to it.
I just want the same files on all my machines. Without hassles.
Re: Thank goodness (Score:2)
I think you are making the old 'nothing to hide' pro surveillance argument. A very dangerous position to take.
Re: (Score:1)
Re: (Score:2)
I do not use 1Password but only One Password "BluePotato#8" so it will not affect me or the "security" of my Data.
That statement above is of course false.
The real problem is how bad Passwords are in general.
We need to trust the people who is asking for the password to the system to have it stored in a way that it isn't accessible by a data breach, Often Secured Hashed with Salt and Pepper but that is with vendors who care about security. Often there are Startups with Programmers who are just out of 2 year s
Massive leak of Apple user accounts incoming. (Score:1)
Probably not what it sounds like (Score:3)
Password managment is something apple computers already do and sync. Letting a third party like apple be the conduit for your password syncs isn't particularly unnerving. It's no more unnerving than letting 1-password do it.
Unless of course, apple is your employer and insists you use an iphone or a mac computer. In that case you want a different third party.
So it makes sense for apple employees not to be forced to eat their company dogfood in this case. But it probably doesn't mean apple is going away
Re: (Score:2)
Actually, one of 1P's strengths is cross platform. Although I don't think it has Linux support it works with iOS, Android and Windows as well.
Re: (Score:2)
1. apple doesn't store your passwords on their servers
2. apple has very flexible password generation
3. it works system wide not just as an application with limited privledges.
4. you are not relying on a third party to keep it's OS incompatibilies patched as things break.
I have no idea what continuous monitoring of accounts means.
Re: Probably not what it sounds like (Score:2)
It means that 1Password tells you which accounts are compromised.
It also tells you password age.
Apple doesn't manage passwords in chrome or Firefox either.
Re: Probably not what it sounds like (Score:2)
You make an excellent point. This doesn't mean Apple is abandoning their password system, they just recognized that employees should be given a method that is free of potential company backdoors.
Re: (Score:2)
This seems laughable (Score:1)
Apple already has a password manager built into their products, what new functionality will 1password provide them? Is this just a patent play?
Why? (Score:3, Insightful)
Keepass for the win,
Re: Why? (Score:1)
How do you do it?
What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?
Re: (Score:2)
Re: (Score:2)
How do you do it?
What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?
I have several methods.
1) I have a formula I use to create a password based on a web address (I actually have several formulas- I tweak it over time)... and even if someone got hold of one password I doubt they could easily reverse engineer the formula).
I don't remember my password, I remember my formula.
2) For IMPORTANT systems such as bank/main e-mail I don't use the formula I use a long complex password that I remember. A unique one for each place. (I only memorise a handful of passwords).
3) If for
Re: (Score:3)
This is pretty close to what I did for a long time... but then I got engaged. When you have TONS of shared passwords, and she is particularly bad at remembering any of them, 1Password is the answer.
The "shared vaults" are awesome. We can both add passwords / logins / credit cards / whatever there... and it shows up on all of our collective devices.
Has revolutionized the way I do things. Yeah: I have to trust 1Password... but the alternative is just non-functioning.
Re: (Score:2)
I have way more than 400 unique passwords. I am not smart enough to memorize them all. Plus my cognitive abilities are declining now so I am becoming less able to remember even passwords I do have memorized. One good whack on the head might lock me out of much of my digital life. I would rather rely on a secure password app.
Re: Why? (Score:2)
You use Resilio Sync to copy the password file between your various devices when they're on the same network. Works like a charm.
Re: Why? (Score:2)
To answer your question, I use an Android port of keepass that is available in the play store, and have all the time sycing of databases using Dropbox on my phone and PC. If I make a change on one side, it gets syncd instantly to the other. The databases are encrypted at the device level, so using dropbox to sync doesn't worry me about if Dro
Re: (Score:2)
I would assume that you just wait until you get home. If you can't get the password when mobile, then just maybe you don't need to get onto that site anyway, thus saving you money and/or privacy. People do need to be more paranoid instead of defaulting to a "me want now!" attitude.
Re:Why? (Score:5, Informative)
In today's world, ANY method you use for account security will have downsides.
I have decided that this method gives me a balance between usability and security I can live with.
But you knew yours was a rhetorical question to make people look stupid, didn't you?
Or on a computer (Score:4, Informative)
Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.
Keepass for the win,
Just as relevant, why would anyone store their passwords on their computer? (Which could be compromised, malware could follow you unlocking your password vault and replay that action later.)
What we need is dedicated hardware, a password vault that we could take with us in the form factor of a small USB dongle, where the processing is done in the dongle and not on the computer. Inexpensive, with a way to make secure backups and reload our passwords to a newly purchased dongle when lost or stolen. The device needs a PIN that's entered on the device, and not on the computer.
(Or in the form of a credit card, a NFC or BLE device that you can just place near your computer. The form factor of a credit-card calculator would work - small solar panel for power, keypad for entering the PIN, and LCD display for feedback.)
Mooltipass comes close, it's got the right functionality but it's big and is an "add-on" to most software.
Re: (Score:2)
While that is certainly a reasonable option, I, for one, would lose the damn USB key in a minute. No, keeping the files on the computer is a security risk but, as we have said 10E23 times, security is a tradeoff.
I like the idea that I can have my passwords on my MacBook Pro and my iPhone and my Windows boxes. I think I have something like 700 passwords, most of which are auto generated and so I have no earthly clue as to what they are.
I am not worried that a three letter agency is going to swoop up and lo
Re: (Score:2)
I put my passwords in a file on a USB thumb drive, and I keep it at home on my desk. It is not kept on a computer, it only shows up there briefly for less than a minute.
I have an encrypted subset of less important ones at work.
Re:Or on a computer (Score:5, Funny)
Re: (Score:2)
Re:Or on a computer (Score:5, Informative)
My team's preferred password management is basically doing that right now.
We use the standard 'zx2c4' pass program (passwordstore.org). Which is a readable set of BASH wrapper scripts around GPG and Git.
Our GPG private keys are on Yubikeys. Where the crypto processing does happen on the smartcard/dongle as you suggest. There's a step there where it's in memory, but that's inevitable (even with mooltipass emulating a keyboard).
This even works over NFC on Android (Password Store and OpenKeychain).
iow, it's baked... we've been doing this for like three years now.
Re: (Score:3)
What we need is dedicated hardware,
Greybeard here. Obviously you didn't live through the days of hooking up dongles to Banyan Vines servers...
Re: (Score:3)
The point is not having secure passwords, the point is having different passwords for your services.
Your password security is only as secure as where you are using them.
With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.
Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".
For banking or high secure requirements, then no. So
Re:Why? (Score:4, Insightful)
The point is not having secure passwords, the point is having different passwords for your services.
Agreed.
Your password security is only as secure as where you are using them.
I disagree. If I use Keepass and store my DB locally, then I'd argue that's more secure than anything stored in the cloud. At the very least, it's up to me to ensure it's secure, rather than hoping someone else is doing so for me.
With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.
This doesn't require cloud storage of passwords.
Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".
Or, store it COMPLETELY client side...and encrypt it.
For banking or high secure requirements, then no. Something involving keys would probably be better.
So you propose using a cloud storage service for passwords, unless you're banking?
Re:Why? (Score:5, Insightful)
So they automatically sync to my phone and iPad. Why would anyone manually sync passwords when you can get the same thing to happen automatically?
A password that is too sensitive for cloud sync is too sensitive for any password manager.
Re: (Score:2)
Because my default stance is to distrust the cloud. It's amorphous, badly defined, and not proven to be secure. I've seen too many cases were companies screw up badly because security cuts into profits (they think, until they're bankrupt).
Even if secure, what happens when they go away, like most flash-in-the-pan online startups there's no guarantee that the service will stay around or notify you effectively before the plug is pulled. Even if you use the cloud, keep a backup.
Re: (Score:2)
The backup is the "I forgot my password" button.
Re: (Score:2)
1Password does both, local and cloud storage. The cloud storage was recently added in the newest version, I've been using the local one for several years.
Re: (Score:2)
All the major services use the cloud as an opaque data store for a client-encrypted blob.
Re: (Score:2)
Re: (Score:2)
1Password is not exclusively via the cloud, nor has it ever been. In fact, hosted cloud syncing is only a relatively recent addition to how 1Password can be used. The other ways you can use it are:
- No syncing: Just use it as a standalone manager on any given device
- Local WiFi syncing: Connect your devices on a local network and you can manually initiate a sync between them
- DIY Cloud syncing: Point 1Password to your Dropbox or iCloud Drive directory and it will sync your vault via it automatically
(I think
Re: (Score:2)
My passwords are stored in the cloud with 1Password.
I'm confident in their security that this is as safe as any other alternative. Agile Bits, the creators of 1Password, do not have access to unencrypted passwords. If you were to somehow obtain my password vault, you'd have a heap of AES encrypted passwords. They're not going to do much good to you.
Unless you have my account key and master password (and the account key is a 40 character alphanumeric code, not a simple password) you're not getting at my pass
Positive? (Score:2)
I don't use 1Password, but I do use Apple's iCloud key chain. I view this as potentially positive for me, since Apple's solution barely works and is not cross platform. A fun example, if you run out of space, macOS deletes your keychain. Even with iCloud enabled, it will never bring it back. Apple just can't do cloud services, so maybe buying something that works is a good idea.
Re: (Score:2)
This is good from a security perspective - better to delete the keychain than risk corruption of it and potentially data leakage of
Re: (Score:2)
Security has three parts, confidentiality, integrity, and availability. The ideal would be that the KeyChain would be treated as a database, and if the disk is full, the file and log would be made read-only and lock out all transactions until it is possible to do them.
At the minimum, Apple could have the database save a copy, then once that's done, move the copy to the original's spot, then zap the original. Not that this is new... AppleWorks did this in the 1980s.
I wish KeyChain were more robust.
Re: (Score:2)
Security has three parts, confidentiality, integrity, and availability
And an almost fanatical devotion to the Pope.
Re: (Score:2)
I don't use 1Password, but I do use Apple's iCloud key chain.
I've been using Apple's keychain for as long as they've offered it, which is next to forever. But the unanswered question behind this story is: since Apple already has an encrypted, in-the-cloud password solution - why do they need (or want) 1Password?
How I wish for universal 2-part ID (Score:2)
How I wish the whole universe would switch to 2-part ID. I would happily make my phone, or a USB key mandatory for every single sign on attempt.
Re: (Score:2)
How is that any different that what we have today anyway? At least I can control what apps are on my phone.
Re: (Score:2)
Re: (Score:2)
1Password said rumors of its acquisition were... (Score:2)
Companies actually can't legally comment either way on M&A activity, simply because lack of denial signifies something if previously there has been a denial.
Also, PR people are not in the loop on any M&A discussions, so any comment is either actionable if from an officer in the know, or BS if from others.
they are more interested in being 'hip' etc (Score:2)
Bet they are MUCH more interested in an IPO payout, actually.
Keychain much better then 1password as is EOM (Score:1)
Keychain much better then 1password as is EOM
I hope they keep all of the AgileBits employees (Score:2)
I purchased 1Password several years ago and use it on both my Mac and Windows laptops as well as my phone. The level of support AgileBits gives to the product is one of those big companies that feels like a small bunch of friends who helps you out type of thing. I hope if Apple acquires them they don't lose that. 1Password is an excellent product.
The real reason... (Score:2)
Apple to deploy 1 password to 123,000 employees... (Score:5, Funny)
Why not give them each their own password instead?
iCloud already has this functionality... (Score:3)
Why would Apple bother buying 1Password when iCloud already does the same thing and is integrated into all their platforms? Do people making shit up just use MadLibs and go with whatever? Are the clicks really worth that much?
1Password is now high value target (Score:2)