'1Password for Teams' Introduces Secure Password Sharing for Teams at Work

[timeconsumer]

I switched to OPVault via Dropbox sync with 1Password for Android 6.3. They solved this issue.

Thanks! I wasn't aware this has been resolved. This is excellent news.

A steadier revenue stream is never a bad thing but if this only shifted your data to our servers, which means a ton of additional work for our team to create and support as well as ongoing operations costs and concerns, there's very little incentive for us to make such a move. But the server component makes it possible for us to serve more customers (We had friends at some prominent companies that were forced to use a competitor because they had many of these Teams features. Everyone should have the best password manager and we happen to think that's 1Password.) and provide features that we couldn't have done well or at all without it and since it means ongoing costs to make this happen, a subscription makes the most sense because then the people that are using the service are the ones paying for it. If we provided the service for free, subsidized by app license sales, I suspect our selling price would have to be much higher for everyone, which definitely isn't fair. (To my knowledge this was never discussed, but I wanted to throw it out there as one possible alternative.)



Our Android app supports OPVault since 6.3. Sorry if this wasn't clearly communicated before!

--
Jamie Phelps
Code Wrangler @ AgileBits

Awesome! That's great news on the OPVault support, thanks for adding that.

I understand that you had to go this route for businesses/family sharing. I was merely speaking from a single user perspective that I hope you still continue to let us buy the product with an upfront cost (as opposed to a monthly subscription fee) then allow us to choose our syncing method either Dropbox or iCloud as it is currently. I love the product but at this time don't require 1Password to host my files to sync. Sorry if I wasn't clear but yes this move should help you compete in the business/family sharing markets, good luck!

 

[Zimmie]

Service accounts are always tricky. I insist that my developers not hard code that but tokenize them or use some other approach especially because we change the password every 30 days for security reasons. Storing them in a cloud solution like this is a non starter for sure.

The big deal for me is the ability to share passwords for emergency accounts, which have similar considerations to service accounts, but are never used (hopefully). If your SAN bites the dust and your network authentication is all through AD or ACS that lives on the SAN, you're hosed. You need access to the boxes to fix the problem that is preventing you from accessing the boxes.

I have local emergency accounts on all of the devices I manage. The passwords are randomly-generated, and the system screams its head off any time someone uses the emergency account. I need something like this. Most "enterprise" credential databases don't keep a local copy of your data, which defeats the whole purpose of emergency accounts.

 

[ocabj]

We have a company policy against sharing passwords. This makes no sense to me. Shared passwords would fail most basic audits.

Unfortunately, in large enterprise with a sizable IT department, more than one person is going to be able to get the root password or the administrator password for a given server or appliance. You would use a password vault with ACL functionality in order to 1) grant the respective personnel knowledge of that root/admin password, and 2) change that password on a regular basis automatically (whether it's a built in mechanism, or an API call). This way, people who are allowed to know the root pass for a given server can get access to that root password to administer said server, and the password gets rotated regularly so no one knows a root password forever, and whenever some 'learns' the new root password, it's all audited by the password vault system.

Note that I speak in general terms. I don't know if 1Password has auditing of stored credentials accesses.

 

[Zimmie]

Unfortunately, in large enterprise with a sizable IT department, more than one person is going to be able to get the root password or the administrator password for a given server or appliance. You would use a password vault with ACL functionality in order to 1) grant the respective personnel knowledge of that root/admin password, and 2) change that password on a regular basis automatically (whether it's a built in mechanism, or an API call). This way, people who are allowed to know the root pass for a given server can get access to that root password to administer said server, and the password gets rotated regularly so no one knows a root password forever, and whenever some 'learns' the new root password, it's all audited by the password vault system.

Note that I speak in general terms. I don't know if 1Password has auditing of stored credentials accesses.

Part of the problem is that you can only audit it reliably if the database does not live on the client machine. After all, if I have the data locally and I have a personal password that can grant me access to it, I can just disconnect my laptop from the network. Or set up a 32-bit route for the password audit server pointing it to a loopback interface. Or any number of other things. Once I've disabled local auditing, I can pull all the passwords out.

You cannot have both offline access for emergencies (exactly the kind of time you really need the root password for a box) and a reliable audit trail.

An externally-hosted password store and a cell modem for each computer could get you close. Your password store could be made to depend only on this external hosting service. That opens up other possible security flaws, though. Most external hosting is done with VMs now, and a VM can have no security from the hypervisor. Thus, if your password store server has any access to the unencrypted data (even in RAM), your hosting provider could get at it. And guess what you send to a server every time you log in to it: your password in clear text. Which it puts in RAM. Which the hypervisor can read.

 

[radioactive]

I love OP as much as the next guy, but it seems like AgileBits gets 'featured' much more than every other password manager on Macrumors. I have to admit, OP has a slightly above average OS X and iOS client, but Windows is highly outdated, and barely works. I downloaded the new Windows beta version today (yes, I read that it's really targeted at teams), but it has a LONG way to go before it's usable.

You have to wonder how much these guys paid for this 'native advertising' spam to promote their product, it's sad that Macrumors and AgileBits stooped to this level of product promotion. Come the next update, I probably won't buy since I think it's rather sleazy what AgileBits marketing team is doing.

 

[AGKyle]

Note that I speak in general terms. I don't know if 1Password has auditing of stored credentials accesses.

Check out our pricing page here. One of the features of the Pro plan is an audit log It is currently "coming soon." But it's one of the many features that differentiates the Pro plan from the Standard plan. Keep in mind that right now users get the Pro plan for the same price as the Standard plan and will get this feature when it becomes available in the near future.

I love OP as much as the next guy, but it seems like AgileBits gets 'featured' much more than every other password manager on Macrumors. I have to admit, OP has a slightly above average OS X and iOS client, but Windows is highly outdated, and barely works. I downloaded the new Windows beta version today (yes, I read that it's really targeted at teams), but it has a LONG way to go before it's usable.

You have to wonder how much these guys paid for this 'native advertising' spam to promote their product, it's sad that Macrumors and AgileBits stooped to this level of product promotion. Come the next update, I probably won't buy since I think it's rather sleazy what AgileBits marketing team is doing.

We didn't pay for any advertising. In fact, we don't pay for much advertising at all and rely entirely on word of mouth for a major portion of our advertising. Happy users are our advertisers. I think it speaks a lot to the fact that we don't actually ask anyone to advertise for us and they do it for us. We do send some sites press release data from time to time but it's entirely the sites choice whether they post anything at all.

As for our Windows client, we just announced 1Password 6 for Windows beta, you can learn more here.

Hope that sheds some light on things. Feel free to ask any questions if you would like to know more about how things work for us here at AgileBits, we're often pretty open to giving information out if asked. The only thing we don't tend to discuss are future plans since we would rather under promise and over deliver.

 

[jxpx777]

I love OP as much as the next guy, but it seems like AgileBits gets 'featured' much more than every other password manager on Macrumors. I have to admit, OP has a slightly above average OS X and iOS client, but Windows is highly outdated, and barely works. I downloaded the new Windows beta version today (yes, I read that it's really targeted at teams), but it has a LONG way to go before it's usable.

Yes, you're right that the current beta for 1Password 6 for Windows has some catching up to do. Luckily, we have a really great team working on it and fantastic users helping test it and make sure it turns out great.

You have to wonder how much these guys paid for this 'native advertising' spam to promote their product, it's sad that Macrumors and AgileBits stooped to this level of product promotion. Come the next update, I probably won't buy since I think it's rather sleazy what AgileBits marketing team is doing.

I don't know if MacRumors pays for any posts on the site, but I do know that this was not a paid post and no past coverage of 1Password has been. Several of us at AgileBits have met some of the MacRumors folks in the past and would call them friends, but I suspect the answer is a little bit simpler than that. 1Password is a popular product that had a big announcement. Writing about significant updates to popular products drives traffic to the site, which I assume makes most of its money from advertising, which benefits from higher traffic. And AgileBits doesn't have a marketing team, unless you count our world class customer support.

--
Jamie Phelps
Code Wrangler @ AgileBits

 

[Ghost31]

Yes, you're right that the current beta for 1Password 6 for Windows has some catching up to do. Luckily, we have a really great team working on it and fantastic users helping test it and make sure it turns out great.



I don't know if MacRumors pays for any posts on the site, but I do know that this was not a paid post and no past coverage of 1Password has been. Several of us at AgileBits have met some of the MacRumors folks in the past and would call them friends, but I suspect the answer is a little bit simpler than that. 1Password is a popular product that had a big announcement. Writing about significant updates to popular products drives traffic to the site, which I assume makes most of its money from advertising, which benefits from higher traffic. And AgileBits doesn't have a marketing team, unless you count our world class customer support.

--
Jamie Phelps
Code Wrangler @ AgileBits

I mean...that makes sense and everything but what if I want to think negatively about anything regarding mac rumors and 1password? Your statement kinda throws a wrench into it

 

[Shirasaki]

MacRumor sites web program is more useable than Facebook, regarding to the support of touch screen zoom in.
Touch screen zoom in does not enlarge the entire page and everything on it, unlike browser zoom in.

Surely, you have more passwords than windows and Apple ID. In my vault I have hundreds of logins. The way most people deal with the fact that they have many logins and passwords is they reuse the same password over and over again. If one account gets compromised, hackers go to all the common websites and use the username and password to try to access your accounts.

Maybe they break into you Netflix account. They immediately go to all the major banks and try that same combination. If you were lazy like most people, they now have your bank account.

1Password is a awesome solution to make sure that each account has a unique password. You would never be able to remember a large number of strong passwords.

I am not affiliated with 1Password, but do use and love it.

I am not that lazy to use one password over and over, although I do use a ton of "weak" password, which is crack-able easily through social engineering. Even that, I try to let every single site use a different password to minimize the impact of possible chain reaction.
However, some critical passwords are stored in not-so-safe locations like browser auto-password-save database. I am about to change it but I need to think about the overall cost. If one-time fee is enough I would consider jumping the ship. Hope I do not need to "subscribe".

Do you really only have a few passwords to manage? I currently have over 275 total items stored, everything from bank accounts to social security numbers to work logins for various social media, to multiple social media for myself, to all the streaming services, to all the cloud file storage services, to all the websites and client websites I manage. I wish I only had to remember a few. The passwords in my vault run from 30-50 characters of mixed lowercase, uppercase, special characters and numbers. Using some online tools I googled, it would take a good sized distributed botnet about 2 quinquavigintillion years to crack my toughest passwords.

Nope. I already have around 100 passwords need to manage, with about 20 of them frequently used. I have heard about password manager years ago, but didn't pay enough attention until now.
Regarding with password manager, however, the weakest link is the master password. Sure, you only need to remember one password. But that also means if you ever forget master password and cannot recover (which may be unlikely), you lose all access of those websites, services etc. Using traditional way, if you forget password on one site, you can still access other sites. No big deal.
Just like dual edge of sword. Yeah.

 

[furi0usbee]

When news of a sub model broke first for 1Password a while back, I emailed them and said that would be the last day I use 1Password if forced to switch to a subscription. They assured me at the time that I had nothing to worry about as they have no plans on going subscription-only. So I'm not worried about this story. I love the app, but will drop them like a hot potato should they require me to forever pay them.

 

[Frustrate]

When news of a sub model broke first for 1Password a while back, I emailed them and said that would be the last day I use 1Password if forced to switch to a subscription. They assured me at the time that I had nothing to worry about as they have no plans on going subscription-only. So I'm not worried about this story. I love the app, but will drop them like a hot potato should they require me to forever pay them.

They will probably move to a subscription model (they already did) and will dumb fown the standard app, so you are kinda forced to pay.

I also dont like the upvotes on their comments, they are probably only upvoted by their company employees.

 

[BigMcGuire]

Why the hostility? It astounds me. I upvoted their comments because I thought it was cool that a company that I like was interacting with its userbase. I use 1Password and I like it --- though with a lot of posters here, the idea of having yet ANOTHER subscription is a turnoff to me. But good grief, the accusation that they paid macrumors, the accusation that those that +1'ed their comments are employees (I'm not) .... the hostility is astounding.

 

[Robert.Walter]

Nothing personal against AgileBits, but this concept seems to have security risk and compliance fail written all over it.

 

[macduke]

MacRumor sites web program is more useable than Facebook, regarding to the support of touch screen zoom in.
Touch screen zoom in does not enlarge the entire page and everything on it, unlike browser zoom in.

I am not that lazy to use one password over and over, although I do use a ton of "weak" password, which is crack-able easily through social engineering. Even that, I try to let every single site use a different password to minimize the impact of possible chain reaction.
However, some critical passwords are stored in not-so-safe locations like browser auto-password-save database. I am about to change it but I need to think about the overall cost. If one-time fee is enough I would consider jumping the ship. Hope I do not need to "subscribe".

Nope. I already have around 100 passwords need to manage, with about 20 of them frequently used. I have heard about password manager years ago, but didn't pay enough attention until now.
Regarding with password manager, however, the weakest link is the master password. Sure, you only need to remember one password. But that also means if you ever forget master password and cannot recover (which may be unlikely), you lose all access of those websites, services etc. Using traditional way, if you forget password on one site, you can still access other sites. No big deal.
Just like dual edge of sword. Yeah.

You could always store your master password in a safety deposit box or something like a safe bolted to the foundation of your house (I'm probably going to install a small one in my new house). I typically use the correct horse battery staple method for my master so it's not as difficult to remember, but make it a little longer and salt the gaps between words with special characters and numerals. I was really glad when they added TouchID support because it's a little rough to type on mobile. I'd buy a Mac with TouchID just to get around that password lol. Even my Mac password isn't that long!

 

[furi0usbee]

Guys at 1Password. I'll be buying your products and updating when you guys add something new that makes my life easier. Depending on features, I often don't upgrade an app right away, unless there is some additional functionality, or the app just looks nicer. I will never entertain the subscription model, but as long as you guys offer a stand-alone app I can buy, and own, and you keep it working for a reasonable time before I must upgrade to a new version, I'll be a customer for life.

 

[nim81]

I like OnePassword, I have the current one-time paid version, but the monthly subscription is way too expensive for a password manager.

 

[Zimmie]

Agreed, I have 500+ passwords in my 1Password db (some are duplicates).

An Optometrist I went to has to have passwords for every distributor they work with so they can order frames when customer wants specific color/type/brand. They use Chrome with a profile on all the computers so the 30+ passwords they need are available when wanted. 1Password would be perfect for them because Chrome keeps corrupting the profile somehow.

That may actually be a HIPPA violation. By default, Chrome encrypts your profile's password database with a key based on your Google account's password. Guess what. You give that password to Google every time you log in to Gmail, YouTube, or any of their other services. That means they have the ability to get at the credentials you store. It can be set to use a separate password, but that isn't the default.

 

[BigMcGuire]

That may actually be a HIPPA violation. By default, Chrome encrypts your profile's password database with a key based on your Google account's password. Guess what. You give that password to Google every time you log in to Gmail, YouTube, or any of their other services. That means they have the ability to get at the credentials you store. It can be set to use a separate password, but that isn't the default.

Just for ordering frames from what I could see, no patient data is involved in this process.

 

[Zimmie]

Just for ordering frames from what I could see, no patient data is involved in this process.

Good. With all the ridiculous stuff going on in the medical software field lately (http://www.dailydot.com/politics/justin-shafer-fbi-raid/), I'm always suspicious of just what suppliers secure with which credentials.