Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple To Deploy 1Password To All 123,000 Employees; In Talks To Acquire Password Manager's Parent-Firm AgileBits: Report (bgr.com)

Posted by msmash on from the up-next dept.

Jonathan S. Geller, reporting for BGR: Apple acquires an average of 15 to 20 companies a year, according to CEO Tim Cook. Of that number, we only hear about a couple, as most of these acquisitions or aqcui-hires are not consumer-facing, nor disclosed. However, we have exclusively learned that Apple is planning an interesting partnership and a potential acquisition of AgileBits, maker of the popular password manager 1Password.

According to our source, after many months of planning, Apple plans to deploy 1Password internally to all 123,000 employees. This includes not just employees in Cupertino, but extends all the way to retail, too. Furthermore, the company is said to have carved out a deal that includes family plans, giving up to 5 family members of each employee a free license for 1Password. With more and more emphasis on security in general, and especially at Apple, there are a number of reasons this deal makes sense. We're told that 100 Apple employees will start using 1Password through this initiative starting this week, with the full 123,000+ users expected to be activated within the next one to two months. Update: In a statement, 1Password said rumors of its acquisition were "completely false."

59 of 104 comments (clear)

  1. This seems laughable by Anonymous Coward · · Score: 1

    Apple already has a password manager built into their products, what new functionality will 1password provide them? Is this just a patent play?

  2. Why? by Snotnose · · Score: 2, Insightful

    Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

    Keepass for the win,

    1. Re: Why? by Anonymous Coward · · Score: 1

      How do you do it?

      What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?

    2. Re:Why? by Kokuyo · · Score: 4, Informative

      In today's world, ANY method you use for account security will have downsides.

      I have decided that this method gives me a balance between usability and security I can live with.

      But you knew yours was a rhetorical question to make people look stupid, didn't you?

    3. Re:Why? by Tukz · · Score: 2

      The point is not having secure passwords, the point is having different passwords for your services.

      Your password security is only as secure as where you are using them.

      With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.

      Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".

      For banking or high secure requirements, then no. Something involving keys would probably be better.

      --
      - Don't do what I do, it's probably not healthy nor safe. -
    4. Re:Why? by Kohath · · Score: 5, Insightful

      So they automatically sync to my phone and iPad. Why would anyone manually sync passwords when you can get the same thing to happen automatically?

      A password that is too sensitive for cloud sync is too sensitive for any password manager.

    5. Re: Why? by Snotnose · · Score: 1

      Every time. The question should have been "How often do you change a password",

    6. Re:Why? by theurge14 · · Score: 1

      1Password does both, local and cloud storage. The cloud storage was recently added in the newest version, I've been using the local one for several years.

    7. Re: Why? by Oswald+McWeany · · Score: 1

      How do you do it?

      What if you're not at home and need your passwords, how often and how do you sync your keypass file between devices, Mobile device?

      I have several methods.

      1) I have a formula I use to create a password based on a web address (I actually have several formulas- I tweak it over time)... and even if someone got hold of one password I doubt they could easily reverse engineer the formula).

      I don't remember my password, I remember my formula.

      2) For IMPORTANT systems such as bank/main e-mail I don't use the formula I use a long complex password that I remember. A unique one for each place. (I only memorise a handful of passwords).

      3) If for some reason I didn't use the formula to create a password, and don't remember the password for somewhere... I do password reset.

      There is no way in hell I'm trusting ALL my passwords to any one entity.

      --
      "That's the way to do it" - Punch
    8. Re:Why? by XXeR · · Score: 3, Insightful

      The point is not having secure passwords, the point is having different passwords for your services.

      Agreed.

      Your password security is only as secure as where you are using them.

      I disagree. If I use Keepass and store my DB locally, then I'd argue that's more secure than anything stored in the cloud. At the very least, it's up to me to ensure it's secure, rather than hoping someone else is doing so for me.

      With cloud stored passwords, you can have auto generated arbitrary passwords, each different for each service so in case of a leak, your other services aren't compromised.

      This doesn't require cloud storage of passwords.

      Just make sure the password vault is encrypted client side and it should be reasonable secure for "random online stuff".

      Or, store it COMPLETELY client side...and encrypt it.

      For banking or high secure requirements, then no. Something involving keys would probably be better.

      So you propose using a cloud storage service for passwords, unless you're banking?

    9. Re: Why? by friedmud · · Score: 2

      This is pretty close to what I did for a long time... but then I got engaged. When you have TONS of shared passwords, and she is particularly bad at remembering any of them, 1Password is the answer.

      The "shared vaults" are awesome. We can both add passwords / logins / credit cards / whatever there... and it shows up on all of our collective devices.

      Has revolutionized the way I do things. Yeah: I have to trust 1Password... but the alternative is just non-functioning.

    10. Re:Why? by Wrath0fb0b · · Score: 1

      Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

      All the major services use the cloud as an opaque data store for a client-encrypted blob.

      Keepass for the win/blockquote
      And if you put that KeePass file on DropBox, then it's in ~**The Cloud**~.

      Heck, if you download MiniKeePass for iOS, then it's a cross-platform-cloud-storage-enabled-password-manager.

    11. Re:Why? by Solandri · · Score: 1

      I dunno if 1Password does this, but the better password managers do it right and encrypt your password before storing it locally. If they also have a cloud storage feature, only that encrypted blob is stored on the cloud. Keepass does this - it stores your passwords in a database file which is encrypted, either with a password (passphrase), or a key stored on the device, or both (your choice). You can then copy the database to unencrypted services like Dropbox to share it between devices. The password managers which have a cloud storage feature do the same thing, except they provide their own cloud service instead of having you rely on Dropbox, Google Drive, OneDrive, etc.

    12. Re:Why? by Anubis+IV · · Score: 1

      1Password is not exclusively via the cloud, nor has it ever been. In fact, hosted cloud syncing is only a relatively recent addition to how 1Password can be used. The other ways you can use it are:
      - No syncing: Just use it as a standalone manager on any given device
      - Local WiFi syncing: Connect your devices on a local network and you can manually initiate a sync between them
      - DIY Cloud syncing: Point 1Password to your Dropbox or iCloud Drive directory and it will sync your vault via it automatically

      (I think there may even be an option to only sync over a wired connection between mobile devices and a PC, but I haven't used that feature, so I can't say for sure)

      AgileBits offers a hosted cloud syncing option as part of their subscription plan, but many of us old-timers who are using it still opt to do the one-time payments for the apps and then manage (or not) how we sync things ourselves, rather than going the subscription route with centralized cloud hosting.

      To me, however, the bigger question is: why would a company (Apple) that's in the process of updating their own password manager (Keychain is getting a major overhaul in the already-announced next version of macOS) suddenly abandon the work they've done by adopting a competing app or acquiring it? It makes no sense. They either would have acquired AgileBits before the updates to Keychain, or else they would have (as they seem to be doing) updated Keychain and then kept going that route on their own...no need for 1Password at all.

      Moreover, the fact that AgileBits poured water all over this rumor via Twitter seems to suggest that there's a lot of smoke but no fire here.

    13. Re: Why? by cyber-vandal · · Score: 1

      You use Resilio Sync to copy the password file between your various devices when they're on the same network. Works like a charm.

    14. Re: Why? by amxcoder · · Score: 1

      I also use keepass and love that the file is under my control. And I can have multiple databases if I want, all completely separate database files from each other.

      To answer your question, I use an Android port of keepass that is available in the play store, and have all the time sycing of databases using Dropbox on my phone and PC. If I make a change on one side, it gets syncd instantly to the other. The databases are encrypted at the device level, so using dropbox to sync doesn't worry me about if Dropbox can unencrypted their files, they would still have to defeat the local file level encryption.

      However, if I wanted to I could move my shared sync method to a shared file on my was drive if I wanted and if thought that might give me better security...but I don't, so I haven't.

    15. Re: Why? by Darinbob · · Score: 1

      I would assume that you just wait until you get home. If you can't get the password when mobile, then just maybe you don't need to get onto that site anyway, thus saving you money and/or privacy. People do need to be more paranoid instead of defaulting to a "me want now!" attitude.

    16. Re:Why? by PhunkySchtuff · · Score: 1

      My passwords are stored in the cloud with 1Password.

      I'm confident in their security that this is as safe as any other alternative. Agile Bits, the creators of 1Password, do not have access to unencrypted passwords. If you were to somehow obtain my password vault, you'd have a heap of AES encrypted passwords. They're not going to do much good to you.

      Unless you have my account key and master password (and the account key is a 40 character alphanumeric code, not a simple password) you're not getting at my passwords.

      The passwords are only decrypted when I access them on my individual devices.

      --
      Specialist Mac support for creative pros, Melbourne
    17. Re:Why? by Darinbob · · Score: 1

      Because my default stance is to distrust the cloud. It's amorphous, badly defined, and not proven to be secure. I've seen too many cases were companies screw up badly because security cuts into profits (they think, until they're bankrupt).

      Even if secure, what happens when they go away, like most flash-in-the-pan online startups there's no guarantee that the service will stay around or notify you effectively before the plug is pulled. Even if you use the cloud, keep a backup.

    18. Re:Why? by Kohath · · Score: 1

      The backup is the "I forgot my password" button.

    19. Re: Why? by Wild_dog! · · Score: 1

      I have way more than 400 unique passwords. I am not smart enough to memorize them all. Plus my cognitive abilities are declining now so I am becoming less able to remember even passwords I do have memorized. One good whack on the head might lock me out of much of my digital life. I would rather rely on a secure password app.

  3. Re:Thank goodness by ColdWetDog · · Score: 1

    I do use 1Password and I'm not terribly happy with this. 1P integrates well with OS X (and iOS and Windows). Agile bits is small, so far reasonably well behaved firm (not terribly happy with the attempt at subscription pricing but I think that ship sailed a while back).

    I don't use iCloud. I use Dropbox.

    I don't use Pages. I use Word.

    I don't want Apple to swallow up everything, thankyouverymuch.

    --
    Faster! Faster! Faster would be better!
  4. Positive? by nwf · · Score: 1

    I don't use 1Password, but I do use Apple's iCloud key chain. I view this as potentially positive for me, since Apple's solution barely works and is not cross platform. A fun example, if you run out of space, macOS deletes your keychain. Even with iCloud enabled, it will never bring it back. Apple just can't do cloud services, so maybe buying something that works is a good idea.

    --
    I don't know, but it works for me.
    1. Re:Positive? by tlhIngan · · Score: 1

      I don't use 1Password, but I do use Apple's iCloud key chain. I view this as potentially positive for me, since Apple's solution barely works and is not cross platform. A fun example, if you run out of space, macOS deletes your keychain. Even with iCloud enabled, it will never bring it back. Apple just can't do cloud services, so maybe buying something that works is a good idea.

      This is good from a security perspective - better to delete the keychain than risk corruption of it and potentially data leakage of its contents by libraries that access it who may encounter the corruption and do something unpredictable.

    2. Re:Positive? by 93+Escort+Wagon · · Score: 1

      I don't use 1Password, but I do use Apple's iCloud key chain.

      I've been using Apple's keychain for as long as they've offered it, which is next to forever. But the unanswered question behind this story is: since Apple already has an encrypted, in-the-cloud password solution - why do they need (or want) 1Password?

      --
      #DeleteChrome
    3. Re:Positive? by ctilsie242 · · Score: 1

      Security has three parts, confidentiality, integrity, and availability. The ideal would be that the KeyChain would be treated as a database, and if the disk is full, the file and log would be made read-only and lock out all transactions until it is possible to do them.

      At the minimum, Apple could have the database save a copy, then once that's done, move the copy to the original's spot, then zap the original. Not that this is new... AppleWorks did this in the 1980s.

      I wish KeyChain were more robust.

    4. Re:Positive? by tehcyder · · Score: 1

      Security has three parts, confidentiality, integrity, and availability

      And an almost fanatical devotion to the Pope.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  5. Probably not what it sounds like by goombah99 · · Score: 2

    Password managment is something apple computers already do and sync. Letting a third party like apple be the conduit for your password syncs isn't particularly unnerving. It's no more unnerving than letting 1-password do it.

    Unless of course, apple is your employer and insists you use an iphone or a mac computer. In that case you want a different third party.

    So it makes sense for apple employees not to be forced to eat their company dogfood in this case. But it probably doesn't mean apple is going away from it's own password management. That works just fine and it's interoperable with other browsers like chrome.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Probably not what it sounds like by ColdWetDog · · Score: 1

      Actually, one of 1P's strengths is cross platform. Although I don't think it has Linux support it works with iOS, Android and Windows as well.

      --
      Faster! Faster! Faster would be better!
    2. Re:Probably not what it sounds like by goombah99 · · Score: 1

      1. apple doesn't store your passwords on their servers
      2. apple has very flexible password generation
      3. it works system wide not just as an application with limited privledges.
      4. you are not relying on a third party to keep it's OS incompatibilies patched as things break.

      I have no idea what continuous monitoring of accounts means.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re: Probably not what it sounds like by macmurph · · Score: 1

      It means that 1Password tells you which accounts are compromised.

      It also tells you password age.

      Apple doesn't manage passwords in chrome or Firefox either.

    4. Re: Probably not what it sounds like by macmurph · · Score: 1

      You make an excellent point. This doesn't mean Apple is abandoning their password system, they just recognized that employees should be given a method that is free of potential company backdoors.

  6. Re:Thank goodness by Anonymous Coward · · Score: 2, Interesting

    I don't use 1Password but might if Apple bought it. As far as I have to trust third parties with my data I trust Apple, but 'Agile Bits'...? They may be extremely competent and morally beyond reproach but I have no way of knowing that.

  7. Or on a computer by Okian+Warrior · · Score: 3, Informative

    Why would anyone store their passwords in the cloud? Color me stupid, paranoid, whatever, I don't get it.

    Keepass for the win,

    Just as relevant, why would anyone store their passwords on their computer? (Which could be compromised, malware could follow you unlocking your password vault and replay that action later.)

    What we need is dedicated hardware, a password vault that we could take with us in the form factor of a small USB dongle, where the processing is done in the dongle and not on the computer. Inexpensive, with a way to make secure backups and reload our passwords to a newly purchased dongle when lost or stolen. The device needs a PIN that's entered on the device, and not on the computer.

    (Or in the form of a credit card, a NFC or BLE device that you can just place near your computer. The form factor of a credit-card calculator would work - small solar panel for power, keypad for entering the PIN, and LCD display for feedback.)

    Mooltipass comes close, it's got the right functionality but it's big and is an "add-on" to most software.

    1. Re:Or on a computer by ColdWetDog · · Score: 1

      While that is certainly a reasonable option, I, for one, would lose the damn USB key in a minute. No, keeping the files on the computer is a security risk but, as we have said 10E23 times, security is a tradeoff.

      I like the idea that I can have my passwords on my MacBook Pro and my iPhone and my Windows boxes. I think I have something like 700 passwords, most of which are auto generated and so I have no earthly clue as to what they are.

      I am not worried that a three letter agency is going to swoop up and look at my emails. They already do that as part of work. I don't want Random Asshole from getting to my bank account or my mistresses phone number (well, it helps to have a good fantasy life....).

      --
      Faster! Faster! Faster would be better!
    2. Re:Or on a computer by Ogive17 · · Score: 4, Funny

      Does a list of passwords on a post-it note affixed to my monitor count as storing it "on" the computer? Maybe I should move it somewhere a bit more discrete.

      --
      "Action without philosophy is a lethal weapon; philosophy without action is worthless."
    3. Re:Or on a computer by Average · · Score: 4, Informative

      My team's preferred password management is basically doing that right now.

      We use the standard 'zx2c4' pass program (passwordstore.org). Which is a readable set of BASH wrapper scripts around GPG and Git.

      Our GPG private keys are on Yubikeys. Where the crypto processing does happen on the smartcard/dongle as you suggest. There's a step there where it's in memory, but that's inevitable (even with mooltipass emulating a keyboard).

      This even works over NFC on Android (Password Store and OpenKeychain).

      iow, it's baked... we've been doing this for like three years now.

    4. Re:Or on a computer by HockeyPuck · · Score: 2

      What we need is dedicated hardware,

      Greybeard here. Obviously you didn't live through the days of hooking up dongles to Banyan Vines servers...

    5. Re:Or on a computer by Darinbob · · Score: 1

      I put my passwords in a file on a USB thumb drive, and I keep it at home on my desk. It is not kept on a computer, it only shows up there briefly for less than a minute.

      I have an encrypted subset of less important ones at work.

    6. Re:Or on a computer by Scoldog · · Score: 1

      I've got a post it note on my monitor that says "Domain Password: Swordfish". No-one has got the joke yet. https://imgur.com/MYpqHLR Maybe I should change it to "Domain Password: hunter2" so people will get it.

      --
      This space for rent
  8. How I wish for universal 2-part ID by DalM · · Score: 1

    How I wish the whole universe would switch to 2-part ID. I would happily make my phone, or a USB key mandatory for every single sign on attempt.

    1. Re:How I wish for universal 2-part ID by DalM · · Score: 1

      How is that any different that what we have today anyway? At least I can control what apps are on my phone.

  9. Re:Thank goodness by Anonymous Coward · · Score: 1

    I don't use iCloud. I use Dropbox.

    You trust the company that has Condoleezza Rice on its board over the company that has pushed back against the FBI on privacy so much that their conflict has its own wikipedia page? Really?

  10. ENTICING HEADLINE! by TimMD909 · · Score: 1

    CRAZY HEADLINE! [unnecessary words omitted] Update: it's all bullshit so disregard everything.

    My question then becomes, why the hell even have the story on the front page if it's immediately going to be repudiated? This seems like a perfect example of "Fake News".

    1. Re:ENTICING HEADLINE! by TimMD909 · · Score: 1

      The worst thing about the headline is yet another misuse of the damn colon! Msmash has no excuse left; this has been pointed out too many times. You say who said it, then you put the colon, then you put what they said. It is never okay to have them backwards like this!

      The scarier thing: if this is Ms. Mash trying hard to Rite Guud, imagine what its text messages and emails look like...

  11. Re:Thank goodness by ColdWetDog · · Score: 1

    Nope. Don't trust nobody. Dropbox, Apple, Google. Anything remotely interesting is encrypted before it hits Dropbox.

    If Condoleezza really wants my scheduling matrices, draft reports and the other impedimenta of my life, they're welcome to it.

    I just want the same files on all my machines. Without hassles.

    --
    Faster! Faster! Faster would be better!
  12. Re:Thank goodness by jellomizer · · Score: 1

    I do not use 1Password but only One Password "BluePotato#8" so it will not affect me or the "security" of my Data.
    That statement above is of course false.

    The real problem is how bad Passwords are in general.
    We need to trust the people who is asking for the password to the system to have it stored in a way that it isn't accessible by a data breach, Often Secured Hashed with Salt and Pepper but that is with vendors who care about security. Often there are Startups with Programmers who are just out of 2 year school, who are happy that they their code can read the database and match a password in plain text. Then get deployed and used without ever fixing the security.
    Then we have the fact we need multiple of them to counteract not trusting sources for your password. Making it harder to keep track of and forget, often making your own insecure database on a computer that you may bring to the local coffee shop.
    Then your password needs to be complex enough not to be guessed or brute forced, however you need to remember it.

    If you actually feel safe about the security of your data, you are probably already compromised. Password Managers are not the end all bee all for security, but what they do is fix some problems with passwords, if 1Password is a reputable and secure solution you are probably better off then without it. However you are still not secure.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  13. 1Password said rumors of its acquisition were... by bagofbeans · · Score: 1

    Companies actually can't legally comment either way on M&A activity, simply because lack of denial signifies something if previously there has been a denial.

    Also, PR people are not in the loop on any M&A discussions, so any comment is either actionable if from an officer in the know, or BS if from others.

  14. Keychain much better then 1password as is EOM by Anonymous Coward · · Score: 1

    Keychain much better then 1password as is EOM

  15. I hope they keep all of the AgileBits employees by theurge14 · · Score: 1

    I purchased 1Password several years ago and use it on both my Mac and Windows laptops as well as my phone. The level of support AgileBits gives to the product is one of those big companies that feels like a small bunch of friends who helps you out type of thing. I hope if Apple acquires them they don't lose that. 1Password is an excellent product.

  16. The real reason... by ddtmm · · Score: 1

    It was probably cheaper to buy the company than buy 123,000 family plan accounts.

  17. Apple to deploy 1 password to 123,000 employees... by Oswald+McWeany · · Score: 4, Funny

    Why not give them each their own password instead?

    --
    "That's the way to do it" - Punch
  18. iCloud already has this functionality... by Graymalkin · · Score: 2

    Why would Apple bother buying 1Password when iCloud already does the same thing and is integrated into all their platforms? Do people making shit up just use MadLibs and go with whatever? Are the clicks really worth that much?

    --
    I'm a loner Dottie, a Rebel.
  19. Re:Thank goodness by ctilsie242 · · Score: 1

    This. Since there is no vetting or third party certification, all their password data could be sitting on a public S3 bucket, with the password used for authentication and all zeroes used for AES "encryption". At least LastPass documents what they do, and their security is proven.

    What would be ideal is that each endpoint generates and stores their own private key, and is "introduced" to each other via another device. That way, the cloud provider doesn't even have password hashes that can be brute forced... just public keys, so a compromise of the cloud provider means an attacker has to deal with all 256+ bits of AES [1], rather than a password that can be brute forced.

    [1]: The ideal might be a triple cascade cipher similar to what VeraCrypt does, so if AES is broken, Serpent or Threefish would still hold up.

  20. Re:Massive leak of Apple user accounts incoming. by phishybongwaters · · Score: 1

    pfft that went down the memory hole for apple users just like the whole certificate authority and forged google certs that apple decided to keep trusting for several months after it was discovered, the only reason being to fuck with google services on their devices. I mean, I can boot up any flavor of linux and I'm not getting into a root shell without a password. I can boot up ANY version of windows past 3.11, and likely including it, and not be able to get into admin without a password. I have to jump through insane hoops to get root on my phone. But on an apple device on the right version, i just need to knock on the door twice and I get in. Yup, trust them with all your data and passwords because they certainly have not become the behemoth they set out to destroy. They'll debut another expensive piece of crap that finally provides features their competition has been providing since 2014, then "innovate" a few more dongles on us and the cult members will cheer it on. For fucks sake apple can't even follow 802.1x properly.

  21. Re:Thank goodness by caution+live+frogs · · Score: 5, Informative

    1Password is actually fine as far as 3rd party concerns go. You can use their internal cloud to store your password archive, or one of many other cloud services, or even keep the archive in local storage and NOT in the cloud. The password archive is a file. You can put it anywhere you put any other file. The trust for this location is entirely up to you. If you trust Apple, put the archive into iCloud and you're solid.

    I've been using the program for several years. I'm quite happy to see Apple using it. They could choose from any password tool on the market. I'm sure they extensively vetted the alternatives before picking 1Password. If it's secure enough for Apple, I feel safe trusting it as well.

  22. 1Password is now high value target by manu0601 · · Score: 1

    Find a flaw in 1Password, and compromise Apple. They just made it a high value target.

  23. they are more interested in being 'hip' etc by bagofbeans · · Score: 1

    Bet they are MUCH more interested in an IPO payout, actually.

  24. Re: Thank goodness by macmurph · · Score: 1

    I think you are making the old 'nothing to hide' pro surveillance argument. A very dangerous position to take.