
Introducing 1Password for Teams - bismark
https://blog.agilebits.com/2015/11/03/introducing-1password-for-teams/
======
jmuguy
Maybe I'll be the only 1Password fanboy in here. I use 1pw personally and
LastPass for work (shared between team of a dozen or so technicians).

To compare the two - 1pw is basically one of my favorite programs. LastPass is
um... adequate? We have a lot of items in our LastPass vault and anytime we
search it, add or change an item there is a 5-10 second lag. This according to
LastPass support is unavoidable. Something to do with each item being
individually encrypted/decrypted each time.

In anycase if 1Password for Teams is half as good 1Password I assume it will
blow LastPass out of the water. And my experience with the Agilebits team
gives me confidence that they'll work on actually improving the product
instead of just looking for an exit.

~~~
Shebanator
Unfortunately 1pw is absolutely terrible on Android. So I was forced to switch
to Lastpass even though 1pw is generally superior because I need something
that works on all my devices.

~~~
AGKyle
Hi!

What were the issues you had with the Android application?

Feedback is most certainly welcome here so we can try to focus our attention
on the areas that are seeing the most sad faces from our users.

Thanks!

Kyle

AgileBits

~~~
77ko
Specific Android issues: \- The Android keyboard doesn't autofill fields - in
ios I could use the share extension and it would attempt to autofill \- the
search is hidden behind a menu and isn't present at all in the opening screen
- have to go into a category \- search is broken - doesn't return a list of
searched for items as the ios one does, it displays suggestions instead \- if
I click on a search result and go back to select a search result I have to
search again \- design is dated. The ios app looks great the Android one looks
really old and dated even compared against last years apps

Overall seems to be a low effort app. Not worth the money I paid for it.
Considering switching to an alternative which is more Android friendly despite
having laid almost a hundred bucks for ios and Mac apps.

~~~
AGKyle
Sorry to hear that you're unhappy with it. I think you'll be happy with the
progress when you see the next updates. There's some work being done to
modernize the interface and some of your list will be tackled by that. I would
encourage you to take a look at my other comment in this particular tree of
comments about Android. It might offer some perspective, not that it's an
excuse but it explains things a bit more and might just help in understanding.

We really do want everyone to love our Android application. Personally, I feel
they've made great strides given the time they've had. It's just a matter of
time and our Android application will be right up there with our iOS
application. We have some super smart people working on it and they're very
passionate about what they do. I can't help but be inspired by a group of
people who fight tooth and nail to catch up to a product that's much older
(our iOS application).

I showed your comment to our Android developers so they've seen what you're
requesting :)

Thanks!

Kyle

AgileBits

~~~
77ko
Thanks for the detailed reply. I do like 1Pw - it is so very well thought out
on mac and ios that I expected something similar on the android side too. Good
to see it is being worked on and will hopefully become a first class app
alongside your other apps.

~~~
AGKyle
My Pleasure. I certainly hope it gets there sooner rather than later but it
will get there :)

Kyle

AgileBits

------
tw04
Interesting - lack of active directory integration, and lack of on-prem
solution is disappointing though.

Edit: since someone is apparently upset over my comment - those two features
are absolutely mandatory in almost all corporate environments. If you have a
comment to the contrary, feel free to share it. Don't just downvote my comment
because you don't personally need the features.

~~~
AGKyle
Really don't want to see anyone get down voted here for having an opinion.
Different opinions are what drive conversation, so, I won't ignore your
concerns here.

I'm not super big on the terminology, but I assume on-prem is on-premise,
meaning you'd like to self-host. If I have that correct then unfortunately I
can't promise anything here. I will most definitely pass this along to our
team though so that they know there are some requests for it.

As for active directory integration. I'll be completely honest here and say
I'm not totally sure how we can support this one. We use both an email, an
Account Key, and a Master Password to access and decrypt your data. There
isn't just a password to decrypt, we also use your Account Key combined with
the Master Password. This could potentially provide some roadblocks to
providing single sign on support. If you're looking at it for group
integration (i.e. User X is in Group Y in AD/LDAP then they are in Group Y on
1Password for Teams), that might be a different story. I'll also pass your
concerns and feedback for this one along.

I hope those are at least something, though I can certainly understand that it
might not be to your liking. But if you have feedback or can help me
understand things more I would certainly appreciate it. I'm just a developer
and have never been a system admin, nor have I worked in a corporate
environment. That leaves me a little green on those topics :)

Kyle

AgileBits

~~~
tw04
Correct - on-prem = on-premise.

AD integration meaning yes, ability to tie users/groups between 1password and
existing AD infrastructure. The idea there being that if a user is terminated,
and their AD account is deleted/locked out, everywhere else is locked at the
same time. Having to go to 20 different systems to try to clean them out is a
great way to miss accounts :)

~~~
AGKyle
Hey, thanks so much for that. Seriously, means a lot to come in here and know
full well you're not really the right person to answer the question but give
it a shot anyway and the other party is gracious enough to explain it.

I will definitely be passing this along so we have some proper request
information on hand. My bosses are reading this, one has even interacted in
this discussion already so they're seeing this already but I'll make it a bit
more official tonight when I write up a summary of what I seen requested.

Thank you again for taking the time to make sure I was on the right track.

Kyle

AgileBits

~~~
jms703
Recommend including LDAP integration in addition to Active Directory. With
such a large Mac userbase, you're likely to have more customers using LDAP
than AD.

~~~
keeper
Keeper Enterprise has AD / LDAP integration! Check us out
[https://keepersecurity.com/enterprise.html](https://keepersecurity.com/enterprise.html)

------
rdl
1) Finally 2) Awesome!

Thank you for doing this. Super into analyzing this for security. 1Password is
my preferred single-client solution, but not having a good Team solution has
been a serious drawback.

~~~
AGKyle
You'll definitely want to start by reading the white paper:

[https://teams.1password.com/white-
paper/1Password%20for%20Te...](https://teams.1password.com/white-
paper/1Password%20for%20Teams%20White%20Paper.pdf)

Let us know if you have any questions after giving that a read.

Kyle

AgileBits

~~~
Titanous
Is there a reason why you're using RSA over Curve25519? RSA is old and rusty
at this point and there's no good reason that I know of to be using it in new
cryptosystems. To a much lesser extent I also have the same question about
using AES-GCM over Poly1305/ChaCha20.

~~~
jpgoldberg
Yep. There is very definitely a reason. You might not like it, but there is.
For the moment we need a client that runs reasonable well in web browsers.

As libraries become more available or the nature of our clients change, we can
switch. We certainly look forward to having the smaller keys that ECC will
give us.

We are aware of tweet-nacl, but we are trying to avoid the number of external
JS libraries we would need. This is why the Teams web app is limited to
browsers that most fully support WebCrypto.(Of course our own browser
extension for Desktop 1Password runs in more browsers as it does not rely on
any crypto itself.)

I admit it is kind of weird using GCM where a stream cipher would be faster,
lighter, cheaper. And so we definitely are looking forward to moving to
something like that for our transport layer encryption. There aren't any
security problems with our current ciphersuites, but we should be able to
improve performance by using things like what you recommend.

~~~
Titanous
Thanks for the answer! WebCrypto is obviously a disaster, it is very
unfortunate that new systems are being stuck with legacy crypto if they use it
instead of non-native libraries.

~~~
jpgoldberg
I think that there are three issues with WebCrypto that people often conflate.
But they need to be looked at separately when judging the security of any
particular things.

1\. Limited algorithms. This is what has use using GCM instead of a stream
cipher for our transport layer. 2\. It allows developers to shoot themselves
in the foot by not enforcing best practices. 3\. It encourages crypto
delivered over the web.

If (3) is your concern, then it doesn't matter how good, modern, up to date,
the methods are. This objection applies to tweet-nacl just as well.

If (1) is your concern, keep in mind that there is nothing wrong with the
algorithms and modes we are using. Sure we had to forego some slicker
alternatives, but this is a performance hit.

If (2) is your concern then what is true about WebCrypto is true of almost
every crypto library out there. Whether we use libcrypto, CommonCrypto, MS
CAPI, etc, we have just as great a chance of "using it wrong" as we do with
WebCrypto. WebCrypto isn't worse than most of the alternatives, it is just new
enough that we all hoped it would be better than the alternatives in this
regard.

So given these three general concerns with WebCrypto, you need to make a
judgement about how these play out when evaluating 1Password for Teams.

~~~
tptacek
(2) is not true of misuse-resistant crypto primitives and libraries, which is
kind of the point of Nacl.

~~~
jpgoldberg
Notice I said " _almost_ every other crypto library". I had NaCl specifically
in mind with that qualification.

It's no secret how you feel about crypto delivered over the web and run in the
browser, but one of the the factors in our choice involved speed and stability
of WebCrypto versus <strike>tweet-nacl</strike>NaCl in JavaScript.

NaCl might be a good choice for our transport layer, but we do a lot of
encrypting of keys and not just of non-key data. So we needed to make use of
.subtle methods every now and then. So if we needed things that NaCl didn't
offer, it was simpler to use a single other API/Library than to mix and match.

I am a huge supporter of efforts like NaCl. I'd obviously prefer to be denied
the opportunity to shoot myself (and our customers) in the foot than to use
tools that are prone to misuse. It would have also been really cool to show
off using NaCl. It is the direction we'd like to see the world move. But we
couldn't quite swing it this time around.

------
Tomte
I had hoped AgileBits would step up their Windows offerings.

I've recently bought the "real Windows application", since the Universal App
doesn't allow to enter new logins (really?), only view existing ones.

Unfortunately, KeePass was much more useful with its Alt-A shortcut. In
1Password I need to manually copy login data from the application, since I'm
using Edge and there's obviously no plugin, yet (Edge's fault).

Oh, and syncing must be a bad joke. Lots and lots of sync options, but the
only one working across all platforms (iOS, Windows Phone and Windows are the
ones relevant to me) is Dropbox. No OneDrive, no WLAN sync.

And don't get me started on vault management. I was using a non-synced vault
without realizing it for weeks, and then I was pulling my hair out trying to
sync the correct one. I finally only managed to do that by completely removing
the Windows Phone app and starting from scratch.

At least they are moving everything to opvault. It was fun trying to get
everything to sync, only to find out that the default vault format
"agilekeychain" cannot be synced to Windows phone (or was it Windows desktop?
I'm not sure).

~~~
AGKyle
Hi there!

We are working on adding Teams to 1Password for Windows. Hopefully we'll have
more to show for that in the not too distant future.

I also hear you on the Edge front, we're excited to see what we'll be able to
do with Edge once a plugin framework is available.

As for syncing, the Windows application does support Wifi sync to iOS and
Android applications, in addition to Dropbox. Between computers, you could use
any sync service that syncs like Dropbox, i.e. to a folder locally and then
the sync service copies the data back and forth while the data rests locally.
Keep in mind though that we've only tested and can support Dropbox for this so
you might run into unforeseen problems, but we do have users doing this and it
seems to work for them.

That said, I am sorry for the trouble you've had. If you have any questions
getting things setup you're welcome to ask questions on our support forum at
[https://discussions.agilebits.com](https://discussions.agilebits.com). We're
always happy to help users get setup and running.

I'll certainly pass your feedback along to the proper people as well.

Kyle

AgileBits

------
codycowan
With the sale of Lastpass to LogMeIn, more excited than ever for 1Password to
add team features

~~~
conorgil145
Why is it an issue that LastPass was sold to LogMeIn? Does that company have a
bad reputation, or...? This is a serious question. I am not familiar with
LogMeIn.

~~~
steeef
LogMeIn has a history of buying useful products and then raising prices on
them without much warning. I was a faithful customer of Hamachi until LogMeIn
purchased them, upped the price, and then tried to lock me in to a
subscription.

~~~
awakeasleep
If anyone doesn't know enough to put comments like this in context,

Hamachi was a free VPN service most commonly used by gamers. LogMeIn bought
Hamachi, and turned it into a paid service, earning the eternal hate of the
gaming community.

None of these aspersions are worth considering if you're thinking about
enterprise software.

~~~
shostack
Out of curiosity--have they been successful with this strategy?

I'm guessing there's some short term revenue gains, and maybe some initial
fallout. But the question still stands of whether this works long term. A lot
of companies underprice their offering, so this could very well work and an
acquisition seems like an ideal time to raise prices while promising more down
the line.

------
pantulis
Apart from the pricing plans --makes it difficult to invest in uploading all
our company secrets if I don't get a clear return--, what about Linux based
desktops? Will this be only Mac/Windows centric?

Are there single-sign-on options for Google Apps for Work?

~~~
jpgoldberg
There is absolutely no "lock in" if you try out the beta.

Our sign-on process uses a modified form of SRP. (See the draft white paper).
It is not a traditional "authentication" process and so can't use other SSOs.

~~~
baldfat
I won't recommend this to my company since I run 4 Linux boxes and there is no
native Linux support (Means DEB, RPM and a TAR)

~~~
coldtea
Not really a threat -- if they don't provide Linux support, then they know and
accept already that people running Linux won't buy or recommend it.

~~~
jpgoldberg
It's more of a threat to us than you describe. If a potential team of N people
have k members who need a Linux client, then that might cost us N customers,
not just k.

~~~
boundlessdreamz
Yes. We are a team of 3 and one of us uses Linux. What is missing when using
the web app? Is there a feature comparison I can look at?

~~~
AGKyle
There's a fair bit missing. For now, the web client is read-only but we have
full intention to make it able to edit, it just wasn't something we had time
to do before the public beta.

The app also includes filling directly into webpages (via a browser extension)
so you don't need to copy and paste. This also includes the ability to save
new logins as you create accounts. Filling Credit Card and Address information
as well.

Those are the two big features I think. The editing will show up on the web
side but the filling part won't since it relies heavily on the client
applications to do a great deal of the grunt work.

We're well aware of the demand for a Linux client though. I think all of us on
the team would love to see a Linux client, but "love to see" isn't enough to
make it happen right now.

I have most certainly written about this in my report I hope to send up the
chain today so your voices aren't going unheard.

Kyle

AgileBits

------
bdwalter
Our teams would be all over this if they had real linux support.

~~~
jpgoldberg
The 1Password For Teams web app runs in Chrome, Firefox, and Opera.

~~~
dijit
Read only and no browser integration. :/ at least they publish a python module
to speak to the agilekeychain

~~~
AGRob
Currently read-only, yes, but it will eventually offer read and write ability.

Rob

AgileBits

~~~
dijit
"eventually" doesn't allow me to use it now though, unfortunately.

I don't mean to sound petulant but I do own 1password on two devices and it's
really frustrating to have no reasonable ability to use it on my main
workstations at home or at work.

~~~
jen20
I know this isn't a complete solution, but 1Password for Windows runs OK under
Wine, and with some registry tweaks as the browser plugins work OK too. The
exact details are documented here:
[https://discussions.agilebits.com/discussion/42126/making-1p...](https://discussions.agilebits.com/discussion/42126/making-1password-
work-in-ubuntu-14-04)

I verified this afternoon that this works with Ubuntu 15.10.

------
klinquist
Really exited for this - was literally just looking to put a vault on a shared
drive (yuck)...

The pricing does seem a bit high (the same price as google apps!). We're a
startup with an engineering team of ~12 and only two or three of us pay for
1password right now. If we had 1password teams, I'm sure I could convince
management to include pro versions of 1password for Mac & iPhone with every
new employee as part of the "initial software package" that employees are
allowed to expense. But another $100+/mo is a bit harder for them to digest.
Regardless, looking forward to being invited into the beta/trial! :)

~~~
AGRob
Hi there!

Note that pricing is not completely finalized just yet, and we will be
offering different pricing tiers. In addition, a subscription to 1Password for
Teams would replace the price of the individual apps, not add to it. So, you
would be getting free upgrades for the client apps while you are subscribed to
1Password for Teams.

I hope that helps!

Rob

AgileBits

~~~
newman314
1password has always been pricy and I've been a happy user. But please please
entertain having realistic enterprise pricing. If so, I can get an org of
several hundred people on it.

Heck, if you offer a good enough deal, I might be able to get a whole bunch of
sister companies on it too.

------
mikeevans
This is pretty awesome. Super excited to try it out.

What's not awesome though is how long they've been working on the refresh of
the Android app with fingerprint support. Demoed in May, it's now November and
they aren't even ready to launch it on their beta channel.

~~~
AGKyle
Hi Mike,

Really sorry about that. Our Android team is working as hard as they can to
bring out updates. It's a tough balance because we've been hard at work on
trying to bring 1Password for Teams to Android as well, which until today has
been a secret project. This also means adding a lot of new features that are
part of Teams, like multiple vault support.

For the fingerprint support it's important to note that this relies on Android
Marshmallow so we couldn't ship that until then. It sounds like that has
started rolling out though so that's no longer blocking us but a few other
things are. I just thought that knowing it depended upon Android Marshmallow
would help in seeing why that particular feature hasn't arrived yet :)

We're doing our best to get the Android application improved though.

Kyle

AgileBits

------
joshfinnie
A nice addition, we are currently using LassPass Enterprise, and the UI is
absolutely terrible, but being the only game in town kind of forced our
hands... now there's options!

------
davepeck
Congrats on the launch. We've been using the beta for this and it has been
quite excellent.

------
jedberg
I used the beta for this, it was pretty slick.

~~~
roustem
Thank you for your help with the 1Password for Teams infrastructure!

~~~
jedberg
Glad we could help!

------
juanymedio
Hi! I can tell you our experience at company I work. We were looking for any
tool to make simple share "but not deliver control of password" because we
wanted to show customers that "we take care" about their passwords.

Finally started use ZOHO Vault. It gave us why to create/manage/share to our
developers "secrets" (passwords, PIN/PUK, Visa pin, etc) in webapp and mobile
app. Now it is part of our "wellcome kit" to new worker. If you are alone you
can use for free, and use to your personal or professional secrets.(Example
code that was created to my profile by ZOHO Vault is like "x3Aq-JTyKg" -is not
this! of course!)

Usually with any customer that see how we work... they copy "work method": if
any other recommend us other better... of course we will test too to compare!!
Cheers!

------
goeric
Very excited about this! We definitely have been waiting for it.

------
helper
Cool, product.

I'm not super excited about the use of WebCrypto, but it isn't any worse than
storing passwords in the clear in a database.

My biggest question is does it support having an audit log of who accessed
what credentials when? If that is supported I could see some our our teams
switching over to this.

~~~
jxpx777
1Password for Teams does have auditing for changes. We will be adjusting and
expanding how that is exposed in the admin console over time.

~~~
helper
Auditing who accesses credentials is just as important as auditing changes for
us.

~~~
snuxoll
Auditing who accesses credentials is pointless, IMO. So you know that Tom,
Jane and John have all accessed the domain admin credentials since they were
changed last week, what good does that do you? They all have reason to do it,
and any one of them could have written them down so it's not like you can
audit who pulled them up 15 minutes before some huge security incident and
know who was responsible.

~~~
helper
Not necessarily. If you have an organization with 100 users and most systems
are accessed rarely, an audit log can show you things like "Steve accessed ALL
the credentials."

------
watersb
1Password is great. Love it.

I have been getting excited about Universal Two-Factor auth tokens. Sure, yet
another standard, but U2F seems dead-simple from user perspective, and easy
for developers to add to web apps.

If we rely more upon web-browser front-ends for 1Password UX, I'd feel way
more comfortable with some kind of two-factor auth for the password vaults
themselves.

I have inadvertently submitted my 1pw vault password to web sites, usually
because keyboard focus changed and I didn't notice. Real people will
inevitably do this from time to time, even in the absence of malicious
phishing.

Good luck!

~~~
khad
Thanks for your kind words! See my earlier reply to digitalchoas
([https://news.ycombinator.com/item?id=10504006](https://news.ycombinator.com/item?id=10504006)).
:)

1Password for Teams has what we call Better Than Two-Factor™ through the use
of an Account Key: [https://support.1password.com/account-
key/](https://support.1password.com/account-key/)

------
duncan_bayne
... provided your team doesn't include anyone using Linux. I asked them
whether they had any plans to support Linux recently and got a disappointing
"no comment" type of reply. Not impressed.

~~~
AGRob
Sorry you were less than impressed. We can't really discuss future plans, but
we are working to mature the 1Password for Teams web client into a fully
functional client that can add, edit, and delete items. The whole thing is
still in beta right now, but it's definitely on our must-do list.

The web client runs in Chrome, Firefox, and Opera, so Linux users will
definitely be able to access it there. That's our immediate focus for now.

Rob

AgileBits

~~~
duncan_bayne
Actually, now that I think about it, why on earth _can 't_ you discuss future
plans?

~~~
AGKyle
Duncan, the reason we try not to discuss future plans is because until
something ships we can't 100% for sure it'll make it into the wild. We've had
instances in the past where we discussed future plans and due to unforeseen
issues couldn't follow through with them.

The mantra is more "under promise and over deliver" when it comes to these
types of things. One of the sayings that has lived long in AgileBits (at least
since I've joined nearly 4 years ago) is that no decision is ever final. So we
might tell someone "nope, sorry won't happen" but then it could later, or vice
versa.

So, future plans are something we try very hard not to discuss, and if they're
ever discussed it's often by our CEO or founders :)

It's because we respect our customers that we do this. We don't want to lead
someone on or misrepresent our intentions. Though, I can certainly understand
how it might feel like we are avoiding the issue, we're not, we'd love nothing
more than to tell everyone "yup, that's coming!" but reality is much different
so we want to make sure we do our best by coming in level headed about things.

Hope that helps explain things a little at least.

Kyle

AgileBits

------
evincarofautumn
We really could’ve used this at the startup where I worked a few years ago. We
were using the, uh, analog equivalent: a manila folder full of handwritten
passwords locked in the founder’s filing cabinet.

~~~
jpgoldberg
I remember doing that in the 90s. There was the "password book" locked away in
a location I won't disclose in case they still do it that way.

We all used SSH public keys (this was kind of new back then), so really only
needed to consult the password book on certain reboots.

------
dazzla
I work for a password manager that has had teams for a while. We have an
encryption key per record with fast search. An open source command line SDK
and Java desktop client which is great for linux. A great Android app with
autofill, material design UI (more to come), which has been in the Google Play
store since day 1, etc.

I'm obviously biased especially about the Android client :) but IMHO great iOS
(and SDK), Android, Web Vault, browser plugins, Windows Phone, Surface, etc.

------
omarforgotpwd
Wow, this is gonna be big! Congrats to the agile bits team!

------
neilellis
At last full NSA support, I've been waiting for this for ages. Really getting
tired of having to open my firewall and give them an SSH login.

~~~
AGKyle
You're getting down voted and unfortunately that's a bit disappointing. That
said I am happy to discuss with you how Teams is setup so that you can fully
understand how it works and realize that we (AgileBits) can provide zero
access to your data to anyone, including yourself, without the proper
credentials (Email, Account Key, and Master Password).

You would probably find our white paper on security and privacy very
informative. If you'd like to give it a read you can find it here:

[https://teams.1password.com/white-
paper/1Password%20for%20Te...](https://teams.1password.com/white-
paper/1Password%20for%20Teams%20White%20Paper.pdf)

If you have questions I'd be more than happy to make sure you get those
answers. But this was a very important topic for us and that's why the white
paper exists and I believe it should answer all of your concerns about
security and privacy, if it does not then we will get those answered for you.

Kyle

AgileBits

Edit: I changed wording to "credentials (Email, Account Key, and Master
Password)" from generic "data" which was sort of redundant and not clear.

~~~
neilellis
I'm actually a huge 1Password fan - my comment was joking but accurate to the
point that no-one can guarantee data security in the current climate. How are
we to know that any provider has not been coerced by their nation's security
services into weakening their own security protocols - and then been slapped
with an order forbidding them to discuss said changes (all within known
current NSA practices).

None of this is directed at you guys, as I said, big fan. But at a climate
that has left consumers concerned, cynical and distrustful of the safety of
any of their data.

Remember my credit cards, alarm codes and personal data is within 1Password -
the most precious of my data.

I have read the link and the other I have been sent and I will definitely
continue using 1Password and I trust you guys as much as I anyone can be
trusted at the moment. Certainly it's more safe than writing it down on a
pieces of paper right now :-)

Of course one way to being even more transparent (but not necessarily more
secure) is to open source your means of securing, transmitting and remote
storage; not the whole product of course.

But with a highly funded secretive agency weakening protocols and strong
arming companies, what are we to do :-)

Again great product!

------
wishiknew
And yet another app that would rather become an OS on its own rather than
stick to one thing but 'do it well'. 1Password.app has already been taking
ages to load since the shiny/pointless redesign a year ago, and now we're
getting even more features…

~~~
thirdsun
However this is a pretty significant feature - I really wouldn't tag it as
bloat, but as the next logical step for 1Password and judging by the comments
here I'm not the only one who has been waiting for this.

------
aagha
I'm curious if anyone's ever tried using Password Safe [0] in a group context
with the master file stored on a shared repo.

0 -
[http://passwordsafe.sourceforge.net/](http://passwordsafe.sourceforge.net/)

------
digitalchaos
I'd be all over this if they supported yubikey's U2F. I love 1pass, but it
always makes me uneasy using Dropbox (or anything similar) for syncing.

~~~
khad
You will be pleased to know that 1Password for Teams does not use Dropbox for
syncing and has what we call Better Than Two-Factor™ through the use of an
Account Key. From our "Understanding the Account Key" article
([https://support.1password.com/account-
key/](https://support.1password.com/account-key/)):

With traditional two-factor authentication, an existing device is used to
authorize a new one. But the existing device is only used for authorization.
The one-time passwords are not used to harden the encryption.

Your Account Key works in much the same way. It is required to authorize a new
device. However, your Account Key is actually used to improve the encryption
of your data. Both your Master Password and your Account Key are required to
decrypt your data.

More in that article. :)

------
halayli
How does revocation happens? What happens if I remove a user from the team?

~~~
AGKyle
When you remove a user from a team (or even a vault) the vault or team is
effectively removed from the user's computer. The account will still "exist"
in the preferences but it'll be suspended and their only option is to delete
the account or have the admin restore the account.

Given the nature of passwords, if you've removed someone from the team you'll
still want to change passwords for any items they have had access to if that's
a concern.

Does that help answer your question? I'm happy to give you more information if
you have more questions or if I somehow misunderstood your question. Just let
me know!

Kyle

AgileBits

~~~
halayli
Thanks for the explanation!

While in theory the passwords should be changed, but shouldn't a new vault key
also get generated/encrypted and the existing passwords get re-encrypted with
the new vault key?

The case I was thinking about is: If for whatever reason that revoked user got
access to an encrypted password that got added after he was revoked, he can
still use the same vault key to decrypt it.

On a different note, I was trying to understand the granting access part and
so far (correct me of I am wrong :)) I think it has to be done in a 3-stage
process. 1. invite user, 2. user accepts and generates priv/pub and pushes
encrypted priv + pub to 1password, 3. admin confirms the grant by encrypting
the vault key with the new user's public key. Did I get it right?

Lastly, would it be more secure if instead of using a master vault key just
rely on priv/pub key of each user. When one member adds a new password, they
encrypt it with each user's public key and provide it to them (can be
considered as a big disadvantage to this approach). I think it makes
revocation easier and denies access to future passwords since the user will be
out of the team and won't receive new passwords created. But I am not a
security expert, so I won't claim anything. :)

~~~
jpgoldberg
Well spotted about the revocation and password change issue.

At the moment, the way we address this is through server policy to prevent the
user with rescinded access from getting any new vault data from the server.
But as you correctly note, this isn't enforced by the cryptography.

There is a technique, called "lazy encryption" by some, to manage this sort of
thing. What would happen is that any time there is a password change or
someone is kicked out of a vault, a new key is created for the vault and all
changes and new items are encrypted with the new key. The new key will also
encrypt the previous key.

With this, someone who still has an "old key" can cryptographically decrypt
things that they could have before (but they could have saved those things
before), but would not be able to get at new or modified data.

I spoke about this problem (as it applies to things like a password change) in
my talk at PasswordsCon 2014 in Las Vegas, which should give you some idea of
how long we've been thinking about this problem.

We've got some of the underlying infrastructure in place for this, but as you
can obviously see we didn't get this all working by the time of the release of
our beta.

But I cannot make any promises whatsoever about when it will actually be
implemented.

~~~
halayli
Ah got it. I think implementing it as a server policy is fine for now.

What would be nice is to have 1password regenerate and assign new passwords
for certain supported services when a user leaves a vault. Not sure about its
feasibility but if implemented correctly it can be a big feature win.

~~~
jpgoldberg
Oh that would be nice. The difficulty is in keeping track of "supported
services" and making sure that they haven't changed their password change
forms yesterday.

Standardized password change forms would make our lives (and our customers'
lives) so much easier.

It's not impossible, but it it takes a lot of maintenance, to make sure that
it behaves as expected. And when you are automating password changes you
really want to make sure that it does work as expected.

~~~
halayli
Agreed. The lack of standards around this makes it very challenging and the
implementation will be against a constantly moving target. We all know how
this ends. :)

But it can also open the door further(not that it cannot now) to have
1password team become central password store for your production environment.
I can envision a 1password agent (with hsm support maybe) running on a machine
to provide processes with required passwords/keys as a way to eliminate the
need to store passwords on disk. If the box gets compromised, changing the
password in one central location so that others pick it up can be convenient.

food for thought. :)

------
kenjackson
Is this the same idea as the YC company Meldium?

------
iosys
They can't seem to fix a simple bug that prevents the mini 1password menu from
not being behind the menubar. Really pathetic or maybe its fixed now
hopefully. Please FIX OMG

~~~
AGRob
Hey, thanks for the feedback. I'm not sure I know which issue you're referring
to. I've not seen the menu show up behind the menu bar. Could you follow up
with us on our forum?
[https://discussions.agilebits.com](https://discussions.agilebits.com)

Rob

AgileBits

