

Meldium (YC W13) Controls Your Team’s Shared App Passwords For You - bradleybuda
http://techcrunch.com/2013/02/25/meldium/

======
harryh
How does it actually work? How can it fill out a password form field for me,
but make it so I can't find out the password?

Can't I just sniff what my browser sends to the server?

I'm suspicious.

This is a real problem though.

PS: You might want to reconsider that name. Meldium, to me at least, just
looks like someone typoed when trying to type Medium.

~~~
potshot
We log in on our end and push the session to your browser, so your browser (or
that of whomever you shared the app with) never sees the password.

~~~
signed0
Doesn't this mean that if you are compromised so are all your users?

~~~
harryh
Yes, this is my next question.

Regardless of your answer I think these questions make it clear that you
should definitely consider adding some more detailed explanations to your
website about how exactly your product works. Especially for a security
related product this is pretty important.

I say this as someone who is very interested in paying someone to solve this
problem for me.

~~~
potshot
We actually have a security FAQ up here: <https://www.meldium.com/security>.
The link is currently buried in our TOS, thanks for pointing out that we need
to give it more exposure! We're definitely open to feedback as to what's not
adequately covered.

------
MattRogish
This is really cool. We use 1password with the 1pass file stored in a Team
dropbox, but 1pass still doesn't have any group-facilities so we have to
revoke/change passes by hand when someone leaves, etc. Very much looking
forward to trying this out.

One thing that groupware password things never remember is that folks like to
use their personal services, too, and requiring multiple-accounts for personal
stuff is not workable.

Is there support for personal (e.g. private only to my login) accounts? That
way, I could store all my stuff with a single browser plugin...

~~~
bradleybuda
Yes - by default your logins are only available to you, and they are only
shared with the individuals that you explicitly add. We definitely want folks
to be using the same tool for both team and individual passwords.

------
jameshart
Sharing an account is a breach of terms of service on most of the services
where this system would be used. It's really not clear to me whether every
supported service has actually opted in to being handled by Meldium, or if
it's something driven by clients, or even simply set up by end users. I could
imagine a SaaS vendor might not be very happy with someone providing tools to
help users get around their per-seat licensing model by automating account
sharing...

~~~
bradleybuda
We're not looking to help anyone evade a vendor's pricing model. The
unfortunate reality is that many services do not support multiple user
accounts, and customers have no choice but to share.

For services that do support many users, we have deep integration that
actually creates individual accounts for every new employee you hire. We have
almost 20 of these services integrated now and we're always looking to add
more.

We've had the opportunity to talk to many service vendors in the process of
building Meldium and the response has been overwhelmingly positive. With
provisioning integrated, Meldium removes one of the barriers to service
adoption - it makes it easy for a company to add more accounts when the hire
more people, and service vendors love this. We're always looking for tighter
and higher-quality integrations with vendors - if you run a SaaS app and you'd
like to see it supported on Meldium, ping me at brad@meldium.com and we'll
find a way to make it happen.

~~~
jameshart
Thanks.. but you still didn't make it clear whether Meldium always works with
the service-provider's co-operation and authorization, or whether you support
account-sharing for services your customers want to use, without the vendor's
explicit permission.

~~~
dotBen
Come on, one would assume they would let you share a password even if it is
"without the vendor's explicit permission".

Who's the customer here?

------
JoeH
I was initially very excited by this as I skipped over the part where it was
"Shared App Passwords". I'm currently using 1Password and sharing the password
file via a dropbox account, however, as I look into the details, it appears
Meldium would only work for a portion of what we use 1Password for.

I need a solution like this, but allows the storage and potential sharing of
other types of passwords not associated with a specific website or service
(server passwords, door codes, etc)

That being said, it looks like a great start!

~~~
borisjabes
We definitely agree that this can apply to more than just apps and we may
extend to more kinds of data over time. We just opted to focus on apps for
this first release.

------
signed0
I almost thought this was related to medium.com.

I wish they would have compared this to other existing products such as
LastPass instead of comparing it to an excel spreadsheet.

------
barrydahlberg
This looks great and is close to something I've specifically looked for in the
past. My only suggestion would be that the pricing is going to be awkward for
my use case.

Typically we work with many small clients and one of our issues is managing
access to admin sites etc for these clients across our team. We have
relatively few 'users', perhaps 5 - 10, but a large amount of shared apps. I
currently have around 100 sets of login details on file in 1Password.

------
nopassrecover
Couldn't you just set up an account on LastPass or OneLogin and share access
to that account?

~~~
bradleybuda
We think of Meldium as a tool for sharing accounts, not for just sharing
passwords. While there are a lot of password managers out there, none of them
are built for teams first. Meldium's browser extension makes passwords go away
completely - they are never echoed or revealed to your teammates. We wanted to
build a product that has geek-level security but also fantastic UX for end
users of any technical sophistication.

~~~
subsection1h

        We think of Meldium as a tool for sharing accounts,
        not for just sharing passwords.
    

Meldium seems to be a tool for sharing _web app_ accounts. Some of the
accounts my team shares aren't for web apps.

    
    
        While there are a lot of password managers out there,
        none of them are built for teams first.
    

What about Passpack, which is what my team uses? Passpack has worked well for
us, but I'm interested in alternatives because Passpack doesn't seem to be
actively developed (bugs I reported months ago haven't been fixed and
Passpack's blog is rarely updated).

------
kuahyeow
It's 2013, sharing passwords is so insecure. Things like OAuth should be used.
I wouldn't be secured if they move towards something like
<http://www.okta.com/what-we-do/single-sign-on.html>

------
WestCoastJustin
Scary as hell. Download password safe and keep your crown jewels at home! I
don't care if users never see the password or if they are encrypted on their
side. Giving your Twitter, Github, or AWS?! keys to someone else. Jesus, this
is the wrong idea and anyone who gets burned deserves it! This speaks to a
wider trend of turning your business information over to other people. Your
internal helpdesk, mail, wiki pages, your source code, and now your
passwords?! Come on. A rouge employee and you are fucked!

It would be interesting to see what they offer if someone exposed their
database and caused your financial ruin?

~~~
josephlord
Don't worry about the rouge employees it is easy to spot the red ones, it is
the rogues that you need to worry about!

But I fundamentally agree, you need to consider that in many cases you are not
just subject to your own risks and threats (internal and external) but each of
your suppliers (and their suppliers such as Heroku and AWS) and their internal
and external risks added to yours.

------
stanleydrew
Don't most of the services listed in the article already have multiple user
accounts?

Github, Salesforce, Box, Google Apps, WordPress. These all support using
multiple accounts right?

~~~
bradleybuda
The article doesn't really make it clear, but for each of those services we
support (and prefer) multiple accounts. They can be connected under the "Team
Services" link in the tool.

------
727374
I'm not terribly worried about ex-team members improperly accessing accounts
and the like. There are pretty powerful legal deterrents in place to prevent
this not to mention that I believe our team is trustworthy. Plus, common sense
dictates that we only give super sensitive account credentials to a couple
people.

On the other hand, I'm terrified of giving my account info to a 3rd party.
Seems like the sweetest hacker target ever.

------
100k
I have been waiting for 1Password to add some kind of team feature for years.
Even if it was as simple as adding an additional password file with a
different unlock password, I would use that in a heartbeat.

They've really left themselves open to competition. Good luck to Meldium
taking them on.

------
philfreo
Looks cool, but I wish 1Password would add a simple password sharing feature.

------
tlogan
We actually made some hack with 1Password and Dropbox. I still wonder why
1Password does not do something like this. It should be easy to do.

------
jasonostrander
This looks fantastic. It sounds like it uses a similar setup as Lastpass, but
with a service for startups to manage accounts. They should offer a free tier
for end users to store and manage passwords ala Lastpass, and then keep the
team focused features as a premium upgrade.

~~~
bradleybuda
Thanks for the suggestion Jason. Our free tier actually covers up to five
users, so it works great for both individuals and small teams. We knew that
Meldium would be useful for large companies, but we've been surprised to learn
that even very small teams love it too.

------
dannygarcia
Wow this is great! It would be nice to see Facebook as a supported app since
it's useful for dev teams.

~~~
bradleybuda
Great suggestions - we'll have it soon. If you'd like to suggest apps, hit our
UserVoice at <http://support.meldium.com/> \- we use that to decide what to
build next.

