And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......
Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.
Given the number of businesses out there doing it I would venture to guess you are wrong.
Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa
For business we use the Enterprise products to share passwords for everything...
None of which is a "solved problem" at the OS or Browser level
> Why are large businesses “sharing passwords” between users? What happens when one user leaves?
Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.
> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?
What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.
It's also useful for things like secure temporary password delivery. I set up your account for the first time with a new service, generate a temp password you have to reset on first login, and then share it to your Password Manager space.
Also just useful for things like API keys - my team just has all of our team's allocated API keys for various services in our password manager so we don't have to go look them up in all of the various service's sites if we need them.
We all have done it at one point or another. But if I am ever in the middle of a technical presentation and mention “API Keys”, I get all types of dirty looks from security.
Notice that Square for instance strongly discourages API Keys for production.
On the AWS side (where I work) we always discourage long term use of access key/secret keys for accessing resources even though I realize it’s necessary for some integrations. Even then, most organizations also put a condition that you can only use it from known IP addresses.
Now I’m curious and this comes from my job history is working at mostly small disorganized companies and then moving to one very large company where I work with other very large enterprises so I have no experience with mid size companies.
Say I work for a large company where everything is gated via an SSO - email, Slack, internal apps, ADP for payroll, my brokerage account containing my 401K information (of course I do have a separate non SSO password for this since it is my account), and Bitwarden (I see it does support SAML).
If I leave my very large organization, it’s easy enough for a manager to disable my SSO and be mostly assured that I don’t have access to anything I shouldn’t. Because “security is job 0” (How do you say where you work without saying where you work /s).
Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
> Now let’s say that BitWarden stores 10 passwords to external services and I had access to those passwords through Bitwarden. Does someone then have to go in and manually change passwords to those 10 services every time someone leaves?
To reframe this: Companies use both SSO and BitWarden, but because a typical company utilizes so many differing services with differing auth coverage (supports SSO? supports roles, permissions, etc.?) BitWarden fills the gap. BitWarden wouldn't be used for your ADP, and 401K. It may be used for your company's payment processor under one main username / password. It may be used for your root AWS account username and password. It may be used for your DNS management. Production API keys for Stripe may be stored there in plain text, but encrypted in your secret store of choice. Those are the typical use cases I see. The list of things you keep in BitWarden are small(er), but they're business critical. Whereas before they were held by the CTO of the early stage startup, now they're centralized, secured, have an audit trail, can be easily shared with others, etc. etc.
In the company I used BitWarden with, these passwords were rotated manually when an employee who had access to that password left and the new value updated in BitWarden. Maybe that's easier now?
Lots of things would not have individual passwords,
Including
1. Hardware Passwords
2. BreakGlass Accounts (used if SSO Fails)
3. Vendor Passwords
4. Recovery Passwords
5. Local Admin Passwords for Servers
We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc
We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.
none of which is possible with BrowserBased or OS Based Password Storage.
Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.
Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.
1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.
I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.
A full rewrite takes a lot of time. We did this twice in the past and it is always painful. We had to do it again this time because the discrepancies between the platforms became ridiculous and we had to fix this. For example, the same search would produce different results on Mac and Windows and Android.
We also took time to address some of the pain points that existed in 1Password 7. For example, it was technically possible to have a different Master Password on your Mac and iPhone, etc.
The local database was rewritten and we made sure that everything that is possible is fully encrypted. For example, all rich icons are now stored encrypted. We also changed the logging system to make sure no personal information is ever logged. At the same time, we had to make sure the data format is backwards compatible with the old version so that both 1Password 8 and 1Password 7 can be used during the transition.
We ran over 100 studies with both existing users and people who never tried 1Password before to make sure the apps are more usable by everyone.
For new users we added New Item experience that made it easier to navigate through templates and understand how to use 1Password. For developers, we added CLI integration, support for SSH keys, and a built-in SSH agent that secures your ssh private keys.
Brand new Linux app, more than 100 new features and improvements overall, on top of the full rewrite.
I'm a fan (been using it for 10yrs I think?) and think the HN sentiment around it is not representative (it's the only app I'd actually recommend to people and that I trust my family can use).
The family vault features are really great and I was glad to see the browser dropped (I didn't really get why it existed).
I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
> I do miss some native features (like the iOS letter column on the right that made it very fast to find something in the list), but generally get that there are tradeoffs to be made.
You are not the only who missed this feature and it is coming back soon. It wasn't available in SwiftUI and we had to go back to UIKit to implement it.
from the founder of 1Password: would love to learn where you think it is worse.
1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.
Not the person you commented to, but I think the only real loss was 1Password Mini. There is the alternate ‘search bar’ mini app which is a decent replacement, I wish that was the one that pops up by default (like used to be with Mini).
You guys make a great product otherwise. It’s the only one where I strongly recommend it over the open source alternative (Bitwarden) even though I have a strong open source bias. There’s just a 1000 things in UI and UX that you guys do slightly better than the competition, sort of an inverse death by a thousand cuts.
I see it from a different perspective. There are not that many real native Mac apps that both look and feel great. You could probably count them all on your hands.
Also, I certainly understand being the long time Mac expect. However, when we tested 1Password with new customers we found a ton of usability issues and many of these problems are solved in 1Password 8. One example, most new users couldn't even figure out how to create new items right away because of the look and the location of "New Item" button in the old app.
