Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple To Deploy 1Password To All 123,000 Employees; In Talks To Acquire Password Manager's Parent-Firm AgileBits: Report (bgr.com)

Posted by msmash on from the up-next dept.

Jonathan S. Geller, reporting for BGR: Apple acquires an average of 15 to 20 companies a year, according to CEO Tim Cook. Of that number, we only hear about a couple, as most of these acquisitions or aqcui-hires are not consumer-facing, nor disclosed. However, we have exclusively learned that Apple is planning an interesting partnership and a potential acquisition of AgileBits, maker of the popular password manager 1Password.

According to our source, after many months of planning, Apple plans to deploy 1Password internally to all 123,000 employees. This includes not just employees in Cupertino, but extends all the way to retail, too. Furthermore, the company is said to have carved out a deal that includes family plans, giving up to 5 family members of each employee a free license for 1Password. With more and more emphasis on security in general, and especially at Apple, there are a number of reasons this deal makes sense. We're told that 100 Apple employees will start using 1Password through this initiative starting this week, with the full 123,000+ users expected to be activated within the next one to two months. Update: In a statement, 1Password said rumors of its acquisition were "completely false."

104 comments

  1. Thank goodness by ChodaBoyUSA · · Score: 0

    I do not use 1Password, so this will not affect me or the security of my data.

    1. Re: Thank goodness by Anonymous Coward · · Score: 0

      Good to know.

    2. Re:Thank goodness by ColdWetDog · · Score: 1

      I do use 1Password and I'm not terribly happy with this. 1P integrates well with OS X (and iOS and Windows). Agile bits is small, so far reasonably well behaved firm (not terribly happy with the attempt at subscription pricing but I think that ship sailed a while back).

      I don't use iCloud. I use Dropbox.

      I don't use Pages. I use Word.

      I don't want Apple to swallow up everything, thankyouverymuch.

      --
      Faster! Faster! Faster would be better!
    3. Re:Thank goodness by Anonymous Coward · · Score: 2, Interesting

      I don't use 1Password but might if Apple bought it. As far as I have to trust third parties with my data I trust Apple, but 'Agile Bits'...? They may be extremely competent and morally beyond reproach but I have no way of knowing that.

    4. Re:Thank goodness by Anonymous Coward · · Score: 0

      I am also fairly unhappy about the subscription, but as long as the previous version work I'm happy. When that option disappear then I'll find another option.

      They will eventually be swallowed by Apple, or die a horrible death by having too small an operation to support a massive single customer like Apple. They are a small shop, and +100.000 users who expect proper support is no laughing matter.

    5. Re:Thank goodness by Anonymous Coward · · Score: 1

      I don't use iCloud. I use Dropbox.

      You trust the company that has Condoleezza Rice on its board over the company that has pushed back against the FBI on privacy so much that their conflict has its own wikipedia page? Really?

    6. Re:Thank goodness by Anonymous Coward · · Score: 0

      I'm planning on using 1Password now. This tips the balance in their favor. Apple has their own shit wired tight and does not make choices willy-nilly.

    7. Re: Thank goodness by Anonymous Coward · · Score: 0

      Is your Android phone still vulnerable to the Broadcom hack? Play store still hosting malware that's been downloaded by millions monthly?

      An Androider worried about security of their data, haha that's rich

    8. Re:Thank goodness by ColdWetDog · · Score: 1

      Nope. Don't trust nobody. Dropbox, Apple, Google. Anything remotely interesting is encrypted before it hits Dropbox.

      If Condoleezza really wants my scheduling matrices, draft reports and the other impedimenta of my life, they're welcome to it.

      I just want the same files on all my machines. Without hassles.

      --
      Faster! Faster! Faster would be better!
    9. Re:Thank goodness by jellomizer · · Score: 1

      I do not use 1Password but only One Password "BluePotato#8" so it will not affect me or the "security" of my Data.
      That statement above is of course false.

      The real problem is how bad Passwords are in general.
      We need to trust the people who is asking for the password to the system to have it stored in a way that it isn't accessible by a data breach, Often Secured Hashed with Salt and Pepper but that is with vendors who care about security. Often there are Startups with Programmers who are just out of 2 year school, who are happy that they their code can read the database and match a password in plain text. Then get deployed and used without ever fixing the security.
      Then we have the fact we need multiple of them to counteract not trusting sources for your password. Making it harder to keep track of and forget, often making your own insecure database on a computer that you may bring to the local coffee shop.
      Then your password needs to be complex enough not to be guessed or brute forced, however you need to remember it.

      If you actually feel safe about the security of your data, you are probably already compromised. Password Managers are not the end all bee all for security, but what they do is fix some problems with passwords, if 1Password is a reputable and secure solution you are probably better off then without it. However you are still not secure.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    10. Re:Thank goodness by Anonymous Coward · · Score: 0

      Wish I had mod points for you

      Why? What mod would you give that other than, presumably, "I agree". There's nothing insightful or interesting about someone saying "I don't use it".

    11. Re: Thank goodness by phishybongwaters · · Score: 0

      oh look an Apple user with a superiority complex, that's fresh and new, just like Apple products.

    12. Re:Thank goodness by ctilsie242 · · Score: 1

      This. Since there is no vetting or third party certification, all their password data could be sitting on a public S3 bucket, with the password used for authentication and all zeroes used for AES "encryption". At least LastPass documents what they do, and their security is proven.

      What would be ideal is that each endpoint generates and stores their own private key, and is "introduced" to each other via another device. That way, the cloud provider doesn't even have password hashes that can be brute forced... just public keys, so a compromise of the cloud provider means an attacker has to deal with all 256+ bits of AES [1], rather than a password that can be brute forced.

      [1]: The ideal might be a triple cascade cipher similar to what VeraCrypt does, so if AES is broken, Serpent or Threefish would still hold up.

    13. Re:Thank goodness by caution+live+frogs · · Score: 5, Informative

      1Password is actually fine as far as 3rd party concerns go. You can use their internal cloud to store your password archive, or one of many other cloud services, or even keep the archive in local storage and NOT in the cloud. The password archive is a file. You can put it anywhere you put any other file. The trust for this location is entirely up to you. If you trust Apple, put the archive into iCloud and you're solid.

      I've been using the program for several years. I'm quite happy to see Apple using it. They could choose from any password tool on the market. I'm sure they extensively vetted the alternatives before picking 1Password. If it's secure enough for Apple, I feel safe trusting it as well.

    14. Re:Thank goodness by Anonymous Coward · · Score: 0

      Security has no ROI. I have been in a dev role for many years, and the only profit to be made on a lock is by the lock maker.

    15. Re: Thank goodness by Anonymous Coward · · Score: 0

      But you aren't disagreeing with what he said.

      Makes sense, you can't.

    16. Re:Thank goodness by Anonymous Coward · · Score: 0

      I do not use 1Password but only One Password "************" so it will not affect me or the "security" of my Data.

      If only slashdot didn't replace passwords with asterisks! Now we will never know what was there.

    17. Re: Thank goodness by Anonymous Coward · · Score: 0

      Don't forget the new cover sheet on those reports

    18. Re: Thank goodness by Anonymous Coward · · Score: 0

      No it is not, because my phone doesn't have a broadcom chip. I don't do "apps" beyond the ones i need for work. And i don't have my private pics stolen through icloud hacks or something....

    19. Re:Thank goodness by Anonymous Coward · · Score: 0

      Is there Pepper in passwords? I thought there was only Salt.

    20. Re: Thank goodness by macmurph · · Score: 1

      I think you are making the old 'nothing to hide' pro surveillance argument. A very dangerous position to take.

  2. Massive leak of Apple user accounts incoming. by xack · · Score: 0

    Can't wait to see how many accounts get leaked by this.

    1. Re:Massive leak of Apple user accounts incoming. by Anonymous Coward · · Score: 0

      What are you basing this cynicism on? Apple's track record is quite good with security. A couple of dumbass celebs using weak passwords on their iCloud accounts does not condemn Apple's own security practices IMO.

    2. Re:Massive leak of Apple user accounts incoming. by Anonymous Coward · · Score: 0

      Apple did allow root access without password and even the "fixed" version had the same bug. They are not a security concerned company but in the business of selling shiny stuff to iDiots.

    3. Re:Massive leak of Apple user accounts incoming. by phishybongwaters · · Score: 1

      pfft that went down the memory hole for apple users just like the whole certificate authority and forged google certs that apple decided to keep trusting for several months after it was discovered, the only reason being to fuck with google services on their devices. I mean, I can boot up any flavor of linux and I'm not getting into a root shell without a password. I can boot up ANY version of windows past 3.11, and likely including it, and not be able to get into admin without a password. I have to jump through insane hoops to get root on my phone. But on an apple device on the right version, i just need to knock on the door twice and I get in. Yup, trust them with all your data and passwords because they certainly have not become the behemoth they set out to destroy. They'll debut another expensive piece of crap that finally provides features their competition has been providing since 2014, then "innovate" a few more dongles on us and the cult members will cheer it on. For fucks sake apple can't even follow 802.1x properly.

    4. Re:Massive leak of Apple user accounts incoming. by Anonymous Coward · · Score: 0

      Shhh. We dont bring up facts here. They riles up the apple worshipping nutjobs.

    5. Re: Massive leak of Apple user accounts incoming. by Anonymous Coward · · Score: 0

      LOL. Would you like us to list some android vulnerabilities?

      You act like Apple did it on purpose. And you also act like your shit don't stink.

  3. Inb4 r00t by Anonymous Coward · · Score: 0

    How long will it be before Apple lets you login as root with no password? Then you haz all keys to the various kingdoms.

  4. This seems laughable by Anonymous Coward · · Score: 1

    Apple already has a password manager built into their products, what new functionality will 1password provide them? Is this just a patent play?

    1. Re:This seems laughable by Anonymous Coward · · Score: 0

      If you compare Keychain to 1Password and think they are alike you are insane. It is like comparing a knife to a power saw because both can cut wood.

      Keychain is good if you have nothing else. But then you get 1Password and have cross platform control over your digital self.

  5. Why? by Snotnose · · Score: 2, Insightful

    Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

    Keepass for the win,

    1. Re: Why? by Anonymous Coward · · Score: 1

      How do you do it?

      What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?

    2. Re:Why? by Kokuyo · · Score: 4, Informative

      In today's world, ANY method you use for account security will have downsides.

      I have decided that this method gives me a balance between usability and security I can live with.

      But you knew yours was a rhetorical question to make people look stupid, didn't you?

    3. Re:Why? by Tukz · · Score: 2

      The point is not having secure passwords, the point is having different passwords for your services.

      Your password security is only as secure as where you are using them.

      With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.

      Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".

      For banking or high secure requirements, then no. Something involving keys would probably be better.

      --
      - Don't do what I do, it's probably not healthy nor safe. -
    4. Re:Why? by Kohath · · Score: 5, Insightful

      So they automatically sync to my phone and iPad. Why would anyone manually sync passwords when you can get the same thing to happen automatically?

      A password that is too sensitive for cloud sync is too sensitive for any password manager.

    5. Re: Why? by Snotnose · · Score: 1

      Every time. The question should have been "How often do you change a password",

    6. Re: Why? by Anonymous Coward · · Score: 0

      KeePass has mobile clients, and ways to copy the encrypted keyfile to the clients directly.

    7. Re:Why? by Anonymous Coward · · Score: 0

      I have no idea why one would store their passwords on the Cloud. I use 1Password WLAN Sync and my passwords are not on the cloud.

    8. Re:Why? by theurge14 · · Score: 1

      1Password does both, local and cloud storage. The cloud storage was recently added in the newest version, I've been using the local one for several years.

    9. Re: Why? by Oswald+McWeany · · Score: 1

      How do you do it?

      What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?

      I have several methods.

      1) I have a formula I use to create a password based on a web address (I actually have several formulas- I tweak it over time)... and even if someone got hold of one password I doubt they could easily reverse engineer the formula).

      I don't remember my password, I remember my formula.

      2) For IMPORTANT systems such as bank/main e-mail I don't use the formula I use a long complex password that I remember. A unique one for each place. (I only memorise a handful of passwords).

      3) If for some reason I didn't use the formula to create a password, and don't remember the password for somewhere... I do password reset.

      There is no way in hell I'm trusting ALL my passwords to any one entity.

      --
      "That's the way to do it" - Punch
    10. Re:Why? by XXeR · · Score: 3, Insightful

      The point is not having secure passwords, the point is having different passwords for your services.

      Agreed.

      Your password security is only as secure as where you are using them.

      I disagree. If I use Keepass and store my DB locally, then I'd argue that's more secure than anything stored in the cloud. At the very least, it's up to me to ensure it's secure, rather than hoping someone else is doing so for me.

      With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.

      This doesn't require cloud storage of passwords.

      Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".

      Or, store it COMPLETELY client side...and encrypt it.

      For banking or high secure requirements, then no. Something involving keys would probably be better.

      So you propose using a cloud storage service for passwords, unless you're banking?

    11. Re: Why? by friedmud · · Score: 2

      This is pretty close to what I did for a long time... but then I got engaged. When you have TONS of shared passwords, and she is particularly bad at remembering any of them, 1Password is the answer.

      The "shared vaults" are awesome. We can both add passwords / logins / credit cards / whatever there... and it shows up on all of our collective devices.

      Has revolutionized the way I do things. Yeah: I have to trust 1Password... but the alternative is just non-functioning.

    12. Re:Why? by Wrath0fb0b · · Score: 1

      Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

      All the major services use the cloud as an opaque data store for a client-encrypted blob.

      Keepass for the win/blockquote
      And if you put that KeePass file on DropBox, then it's in ~**The Cloud**~.

      Heck, if you download MiniKeePass for iOS, then it's a cross-platform-cloud-storage-enabled-password-manager.

    13. Re:Why? by Solandri · · Score: 1

      I dunno if 1Password does this, but the better password managers do it right and encrypt your password before storing it locally. If they also have a cloud storage feature, only that encrypted blob is stored on the cloud. Keepass does this - it stores your passwords in a database file which is encrypted, either with a password (passphrase), or a key stored on the device, or both (your choice). You can then copy the database to unencrypted services like Dropbox to share it between devices. The password managers which have a cloud storage feature do the same thing, except they provide their own cloud service instead of having you rely on Dropbox, Google Drive, OneDrive, etc.

    14. Re:Why? by Anubis+IV · · Score: 1

      1Password is not exclusively via the cloud, nor has it ever been. In fact, hosted cloud syncing is only a relatively recent addition to how 1Password can be used. The other ways you can use it are:
      - No syncing: Just use it as a standalone manager on any given device
      - Local WiFi syncing: Connect your devices on a local network and you can manually initiate a sync between them
      - DIY Cloud syncing: Point 1Password to your Dropbox or iCloud Drive directory and it will sync your vault via it automatically

      (I think there may even be an option to only sync over a wired connection between mobile devices and a PC, but I haven't used that feature, so I can't say for sure)

      AgileBits offers a hosted cloud syncing option as part of their subscription plan, but many of us old-timers who are using it still opt to do the one-time payments for the apps and then manage (or not) how we sync things ourselves, rather than going the subscription route with centralized cloud hosting.

      To me, however, the bigger question is: why would a company (Apple) that's in the process of updating their own password manager (Keychain is getting a major overhaul in the already-announced next version of macOS) suddenly abandon the work they've done by adopting a competing app or acquiring it? It makes no sense. They either would have acquired AgileBits before the updates to Keychain, or else they would have (as they seem to be doing) updated Keychain and then kept going that route on their own...no need for 1Password at all.

      Moreover, the fact that AgileBits poured water all over this rumor via Twitter seems to suggest that there's a lot of smoke but no fire here.

    15. Re:Why? by Anonymous Coward · · Score: 0

      1Password originally is an app like KeePass but with fancier graphics and browser integration. More recent versions have a cloud sync feature but this is optional. If Apple took over I would be sad. You can kiss Windows support good bye. Someone told me 1Password was the best purchase of their life. That's why I got it. I still have KeePass. 1 Password was vastly over rated as far as simplifying my life. Not really any better for me in practice.

    16. Re: Why? by Anonymous Coward · · Score: 0

      I don't get it. either. I've been in IT for over 20 years and I have easily memorised all of my passwords (~35). Memorising passwords is not terribly difficult should you come up with a schema.

    17. Re: Why? by Anonymous Coward · · Score: 0

      Remove the competition, whilst acquiring the good engineers.

    18. Re: Why? by pacija · · Score: 0

      Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it. Keepass for the win

      Because someone could have the need to access frequently changing password database from multiple devices.

      I prefer to host my .kdb files on nextcloud instance which runs on HDDs in my basement behind pf firewall. In geli-encrypted zfs jail, TLS 1.2 HIGH ciphers only, HSTS, nextcloud encryption plugin enabled. Nextcloud desktop client for syncing kbd files to *BSD and Windows clients, F-droid version of android port for phones. KeepassXC for manipulating .kbd files.

      I guess if someone hacks that they really really wanted to :)

    19. Re: Why? by cyber-vandal · · Score: 1

      You use Resilio Sync to copy the password file between your various devices when they're on the same network. Works like a charm.

    20. Re: Why? by amxcoder · · Score: 1

      I also use keepass and love that the file is under my control. And I can have multiple databases if I want, all completely separate database files from each other.

      To answer your question, I use an Android port of keepass that is available in the play store, and have all the time sycing of databases using Dropbox on my phone and PC. If I make a change on one side, it gets syncd instantly to the other. The databases are encrypted at the device level, so using dropbox to sync doesn't worry me about if Dropbox can unencrypted their files, they would still have to defeat the local file level encryption.

      However, if I wanted to I could move my shared sync method to a shared file on my was drive if I wanted and if thought that might give me better security...but I don't, so I haven't.

    21. Re:Why? by Anonymous Coward · · Score: 0

      Keep what now?

      In any case I'm sure it would be an improvement for most people - after all, anything is better than using "qwerty" or "asdf" as a password for absolutely anything.

    22. Re: Why? by Darinbob · · Score: 1

      I would assume that you just wait until you get home. If you can't get the password when mobile, then just maybe you don't need to get onto that site anyway, thus saving you money and/or privacy. People do need to be more paranoid instead of defaulting to a "me want now!" attitude.

    23. Re:Why? by PhunkySchtuff · · Score: 1

      My passwords are stored in the cloud with 1Password.

      I'm confident in their security that this is as safe as any other alternative. Agile Bits, the creators of 1Password, do not have access to unencrypted passwords. If you were to somehow obtain my password vault, you'd have a heap of AES encrypted passwords. They're not going to do much good to you.

      Unless you have my account key and master password (and the account key is a 40 character alphanumeric code, not a simple password) you're not getting at my passwords.

      The passwords are only decrypted when I access them on my individual devices.

      --
      Specialist Mac support for creative pros, Melbourne
    24. Re:Why? by Darinbob · · Score: 1

      Because my default stance is to distrust the cloud. It's amorphous, badly defined, and not proven to be secure. I've seen too many cases were companies screw up badly because security cuts into profits (they think, until they're bankrupt).

      Even if secure, what happens when they go away, like most flash-in-the-pan online startups there's no guarantee that the service will stay around or notify you effectively before the plug is pulled. Even if you use the cloud, keep a backup.

    25. Re:Why? by Kohath · · Score: 1

      The backup is the "I forgot my password" button.

    26. Re: Why? by Wild_dog! · · Score: 1

      I have way more than 400 unique passwords. I am not smart enough to memorize them all. Plus my cognitive abilities are declining now so I am becoming less able to remember even passwords I do have memorized. One good whack on the head might lock me out of much of my digital life. I would rather rely on a secure password app.

  6. Positive? by nwf · · Score: 1

    I don't use 1Password, but I do use Apple's iCloud key chain. I view this as potentially positive for me, since Apple's solution barely works and is not cross platform. A fun example, if you run out of space, macOS deletes your keychain. Even with iCloud enabled, it will never bring it back. Apple just can't do cloud services, so maybe buying something that works is a good idea.

    --
    I don't know, but it works for me.
    1. Re:Positive? by tlhIngan · · Score: 1

      I don't use 1Password, but I do use Apple's iCloud key chain. I view this as potentially positive for me, since Apple's solution barely works and is not cross platform. A fun example, if you run out of space, macOS deletes your keychain. Even with iCloud enabled, it will never bring it back. Apple just can't do cloud services, so maybe buying something that works is a good idea.

      This is good from a security perspective - better to delete the keychain than risk corruption of it and potentially data leakage of its contents by libraries that access it who may encounter the corruption and do something unpredictable.

    2. Re:Positive? by 93+Escort+Wagon · · Score: 1

      I don't use 1Password, but I do use Apple's iCloud key chain.

      I've been using Apple's keychain for as long as they've offered it, which is next to forever. But the unanswered question behind this story is: since Apple already has an encrypted, in-the-cloud password solution - why do they need (or want) 1Password?

      --
      #DeleteChrome
    3. Re:Positive? by ctilsie242 · · Score: 1

      Security has three parts, confidentiality, integrity, and availability. The ideal would be that the KeyChain would be treated as a database, and if the disk is full, the file and log would be made read-only and lock out all transactions until it is possible to do them.

      At the minimum, Apple could have the database save a copy, then once that's done, move the copy to the original's spot, then zap the original. Not that this is new... AppleWorks did this in the 1980s.

      I wish KeyChain were more robust.

    4. Re:Positive? by Anonymous Coward · · Score: 0

      Sure, deleting is a better option than opening read-only.

    5. Re:Positive? by tehcyder · · Score: 1

      Security has three parts, confidentiality, integrity, and availability

      And an almost fanatical devotion to the Pope.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  7. Probably not what it sounds like by goombah99 · · Score: 2

    Password managment is something apple computers already do and sync. Letting a third party like apple be the conduit for your password syncs isn't particularly unnerving. It's no more unnerving than letting 1-password do it.

    Unless of course, apple is your employer and insists you use an iphone or a mac computer. In that case you want a different third party.

    So it makes sense for apple employees not to be forced to eat their company dogfood in this case. But it probably doesn't mean apple is going away from it's own password management. That works just fine and it's interoperable with other browsers like chrome.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Probably not what it sounds like by ColdWetDog · · Score: 1

      Actually, one of 1P's strengths is cross platform. Although I don't think it has Linux support it works with iOS, Android and Windows as well.

      --
      Faster! Faster! Faster would be better!
    2. Re:Probably not what it sounds like by Anonymous Coward · · Score: 0

      The password management is only one of the feature 1P provides, the flexible password generation and continuous monitoring of your accounts is a major plus. And they don't store your information on their servers, so it's more secure than the alternatives.

    3. Re:Probably not what it sounds like by goombah99 · · Score: 1

      1. apple doesn't store your passwords on their servers
      2. apple has very flexible password generation
      3. it works system wide not just as an application with limited privledges.
      4. you are not relying on a third party to keep it's OS incompatibilies patched as things break.

      I have no idea what continuous monitoring of accounts means.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    4. Re: Probably not what it sounds like by macmurph · · Score: 1

      It means that 1Password tells you which accounts are compromised.

      It also tells you password age.

      Apple doesn't manage passwords in chrome or Firefox either.

    5. Re: Probably not what it sounds like by macmurph · · Score: 1

      You make an excellent point. This doesn't mean Apple is abandoning their password system, they just recognized that employees should be given a method that is free of potential company backdoors.

  8. Or on a computer by Okian+Warrior · · Score: 3, Informative

    Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

    Keepass for the win,

    Just as relevant, why would anyone store their passwords on their computer? (Which could be compromised, malware could follow you unlocking your password vault and replay that action later.)

    What we need is dedicated hardware, a password vault that we could take with us in the form factor of a small USB dongle, where the processing is done in the dongle and not on the computer. Inexpensive, with a way to make secure backups and reload our passwords to a newly purchased dongle when lost or stolen. The device needs a PIN that's entered on the device, and not on the computer.

    (Or in the form of a credit card, a NFC or BLE device that you can just place near your computer. The form factor of a credit-card calculator would work - small solar panel for power, keypad for entering the PIN, and LCD display for feedback.)

    Mooltipass comes close, it's got the right functionality but it's big and is an "add-on" to most software.

    1. Re:Or on a computer by ColdWetDog · · Score: 1

      While that is certainly a reasonable option, I, for one, would lose the damn USB key in a minute. No, keeping the files on the computer is a security risk but, as we have said 10E23 times, security is a tradeoff.

      I like the idea that I can have my passwords on my MacBook Pro and my iPhone and my Windows boxes. I think I have something like 700 passwords, most of which are auto generated and so I have no earthly clue as to what they are.

      I am not worried that a three letter agency is going to swoop up and look at my emails. They already do that as part of work. I don't want Random Asshole from getting to my bank account or my mistresses phone number (well, it helps to have a good fantasy life....).

      --
      Faster! Faster! Faster would be better!
    2. Re:Or on a computer by Ogive17 · · Score: 4, Funny

      Does a list of passwords on a post-it note affixed to my monitor count as storing it "on" the computer? Maybe I should move it somewhere a bit more discrete.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    3. Re:Or on a computer by Average · · Score: 4, Informative

      My team's preferred password management is basically doing that right now.

      We use the standard 'zx2c4' pass program (passwordstore.org). Which is a readable set of BASH wrapper scripts around GPG and Git.

      Our GPG private keys are on Yubikeys. Where the crypto processing does happen on the smartcard/dongle as you suggest. There's a step there where it's in memory, but that's inevitable (even with mooltipass emulating a keyboard).

      This even works over NFC on Android (Password Store and OpenKeychain).

      iow, it's baked... we've been doing this for like three years now.

    4. Re:Or on a computer by HockeyPuck · · Score: 2

      What we need is dedicated hardware,

      Greybeard here. Obviously you didn't live through the days of hooking up dongles to Banyan Vines servers...

    5. Re:Or on a computer by Anonymous Coward · · Score: 0

      We had a new guy go and replace all the keyboards, as the old ones got quite gross and were ordered to be cleaned by CEO edict. Well, it never occurred to him to check underneath the old ones. Next day, the help desk had numerous calls (including the CEO) about their passwords. They ran the gamut from not remembering, to "someone changed it," and many I don't remember. Only one person admitted to putting passwords underneath on a Post-It. We had higher than usual calls about passwords for various things for the next two weeks.

      And yes, once the IT people figured it out, all of the passwords and accounts on the keyboards (and under the mouse pads after a late night reconnoiter) were locked.

    6. Re:Or on a computer by Darinbob · · Score: 1

      I put my passwords in a file on a USB thumb drive, and I keep it at home on my desk. It is not kept on a computer, it only shows up there briefly for less than a minute.

      I have an encrypted subset of less important ones at work.

    7. Re:Or on a computer by Scoldog · · Score: 1

      I've got a post it note on my monitor that says "Domain Password: Swordfish". No-one has got the joke yet. https://imgur.com/MYpqHLR Maybe I should change it to "Domain Password: hunter2" so people will get it.

      --
      This space for rent
    8. Re:Or on a computer by Anonymous Coward · · Score: 0

      Does a list of passwords on a post-it note affixed to my monitor count as storing it "on" the computer? Maybe I should move it somewhere a bit more discrete.

      I keep my password list affixed to the underside of the lid of my document scanner. No one would ever think to look there.

    9. Re:Or on a computer by Anonymous Coward · · Score: 0

      "Domain Password: *******"

      What a strange post-it note.

  9. How I wish for universal 2-part ID by DalM · · Score: 1

    How I wish the whole universe would switch to 2-part ID. I would happily make my phone, or a USB key mandatory for every single sign on attempt.

    1. Re:How I wish for universal 2-part ID by Anonymous Coward · · Score: 0

      I would not. I never want my phone participating in anything that needs to be secure. Every maker of every app, as well as the maker of the OS, is spying on every packet.

    2. Re:How I wish for universal 2-part ID by DalM · · Score: 1

      How is that any different that what we have today anyway? At least I can control what apps are on my phone.

    3. Re:How I wish for universal 2-part ID by Anonymous Coward · · Score: 0

      Agreed. It's outrageous to destroy the security of people who can use strong passwords for the sake of people who can't.

    4. Re:How I wish for universal 2-part ID by Anonymous Coward · · Score: 0

      And with 1Password you can have that. All 2FA-logins I have (except for some shitty ones that only uses text messages) are handled by 1Password. The upside is that if I lose my phone, I still have access on my iPad and it synchs between them. These two devices are either locked up or under my constant supervision at all times.

      As more sites add 2FA I will add them too and want my password manager to handle the codes.

      I have 400+ identities on different sites, some dating more than two decades back. Another vault was used for my 100+ logins for my former work. When I quit, I gave them the vault.

      A password manager is just that, something to manage your passwords (including the codes for 2FA).

    5. Re:How I wish for universal 2-part ID by Anonymous Coward · · Score: 0

      I don't use my phone for anything that needs to be secure. That stuff happens on my desktop.
      Anybody that requires my to use a cellphone to receive "second factor" messages compromises that.

  10. ENTICING HEADLINE! by TimMD909 · · Score: 1

    CRAZY HEADLINE! [unnecessary words omitted] Update: it's all bullshit so disregard everything.

    My question then becomes, why the hell even have the story on the front page if it's immediately going to be repudiated? This seems like a perfect example of "Fake News".

    1. Re:ENTICING HEADLINE! by Anonymous Coward · · Score: 0

      The worst thing about the headline is yet another misuse of the damn colon! Msmash has no excuse left; this has been pointed out too many times.
      You say who said it, then you put the colon, then you put what they said. It is never okay to have them backwards like this!

    2. Re:ENTICING HEADLINE! by TimMD909 · · Score: 1

      The worst thing about the headline is yet another misuse of the damn colon! Msmash has no excuse left; this has been pointed out too many times. You say who said it, then you put the colon, then you put what they said. It is never okay to have them backwards like this!

      The scarier thing: if this is Ms. Mash trying hard to Rite Guud, imagine what its text messages and emails look like...

  11. 1Password does deals like this all the time... by Anonymous Coward · · Score: 0

    The last couple of companies I've worked for had the same deal. It's only news because its such a big deal and people want to start rumors. Go back under your caves trolls. 1Password already stated the rumors are false.

  12. 1Password said rumors of its acquisition were... by bagofbeans · · Score: 1

    Companies actually can't legally comment either way on M&A activity, simply because lack of denial signifies something if previously there has been a denial.

    Also, PR people are not in the loop on any M&A discussions, so any comment is either actionable if from an officer in the know, or BS if from others.

  13. Keychain much better then 1password as is EOM by Anonymous Coward · · Score: 1

    Keychain much better then 1password as is EOM

  14. about time by Anonymous Coward · · Score: 0

    sounds like they finally admit that keychain is a shit piece of software

  15. I hope they keep all of the AgileBits employees by theurge14 · · Score: 1

    I purchased 1Password several years ago and use it on both my Mac and Windows laptops as well as my phone. The level of support AgileBits gives to the product is one of those big companies that feels like a small bunch of friends who helps you out type of thing. I hope if Apple acquires them they don't lose that. 1Password is an excellent product.

  16. The real reason... by ddtmm · · Score: 1

    It was probably cheaper to buy the company than buy 123,000 family plan accounts.

  17. Apple to deploy 1 password to 123,000 employees... by Oswald+McWeany · · Score: 4, Funny

    Why not give them each their own password instead?

    --
    "That's the way to do it" - Punch
  18. iCloud already has this functionality... by Graymalkin · · Score: 2

    Why would Apple bother buying 1Password when iCloud already does the same thing and is integrated into all their platforms? Do people making shit up just use MadLibs and go with whatever? Are the clicks really worth that much?

    --
    I'm a loner Dottie, a Rebel.
  19. Not trustworthy by Anonymous Coward · · Score: 0

    They claimed in 2014 to not be affected by Heartbleed, but in another blog they were affected and had to change their certs.

    So an attacker could have used Heartbleed to steal their cert and deliver backdoored software to users.
    https://blog.agilebits.com/2014/04/08/imagine-no-ssl-encryption-its-scary-if-you-try/

    Marketing got ahead of their actual technical details. Misinformation doesn't help security.

    "A new certificate for agilebits.com was put in place on April 10 and Dropbox.com put a new certificate in place on April 11.
    Now that Dropbox is using a new certificate, we’ve removed the earlier advisory for users of the 1PasswordAnywhere feature.
    We’ve added some links to password changing instructions for 1Password 4 for Mac."

  20. Re:1Password said rumors of its acquisition were.. by Anonymous Coward · · Score: 0

    Companies actually can't legally comment either way on M&A activity, simply because lack of denial signifies something if previously there has been a denial.

    Also, PR people are not in the loop on any M&A discussions, so any comment is either actionable if from an officer in the know, or BS if from others.

    A company composed of 96 people with titles such as 'Bacon Architect', 'Forum Sherpa', 'Ambassador of Swank', 'Kindness Sparkler, and 'Honkologist'? You have extremely high expectations of what staff might say regarding 'M&A' - regardless the quality of their software, they are more interested in being 'hip' and 'trendy' and 'fun'.

    I'd bet real money that HQ has a ball crawl, a giant slide, and finger painting stations in the safe space room. I can't take that seriously.

    https://1password.com/company/

  21. 1Password is now high value target by manu0601 · · Score: 1

    Find a flaw in 1Password, and compromise Apple. They just made it a high value target.

  22. horrible idea! by Anonymous Coward · · Score: 0

    123,000 people with the same password is probably as insecure as no password at all

  23. TFA title by Anonymous Coward · · Score: 0

    TFA title should've read "Apple To Deploy 1Password To All Pigeonholed Employees; In Talks To Acquire Password Leaker's Parent-Firm FragileBits: Report"

    1. Re:TFA title by Anonymous Coward · · Score: 0

      What the fuck is ":Report" supposed to mean anyway?

  24. they are more interested in being 'hip' etc by bagofbeans · · Score: 1

    Bet they are MUCH more interested in an IPO payout, actually.