Hacker News new | comments | show | ask | jobs | submit login
[flagged] Apple to deploy 1Password to all 100,000 employees, acquisition talks underway (bgr.com)
165 points by okket 5 months ago | hide | past | web | favorite | 103 comments

This is clickbait journalism at its worst. Let's look at the all the ways this story is designed to mislead and deceive:

* Provocative headline, designed to attract attention

    * Use of the word "Exclusive" to imply that this is important information

    * Says acquisitions talks *are* underway, despite having little or no evidence of that
* Reliance on anonymous second or third-hand sources - the only evidence for "acquisition" is something that an employee overheard the CEO say

* Update, placed at the end of the story, that disconfirms the story

* Placement on aggregator sites like Reddit and Hacker News in order to drive pageviews

I rarely say this about stories on the frontpage, but in my opinion, this story should be flagged and deleted. There's no content here, and driving traffic to bgr rewards them for putting out this kind of fake news. This story reads like someone took Ryan Holiday's book, Trust Me I'm Lying and treated it as a field manual rather than a set of warnings.

"Rumours of my acquisition are completely false. My humans and I are happily independent and plan to remain so."


Riiiiiight. That's what everyone says right before the incredible journey blog post gets uploaded.

Also this response. :D

Bryan Jones ‏ @bdkjones 15m15 minutes ago Replying to @1Password @markgurman

I’d literally pay Apple to acquire you just to avoid more “my humans and I” tweets.

I'm glad this "made by humans" thing is starting to go the way of "made with &heart; in California", background videos of macbooks & coffee, and the burrito emojis. Though I'm looking forward to the next cringeworthy cali startup meme.

> Though I'm looking forward to the next cringeworthy cali startup meme.

Like half a cringeworthy Cali startup’s engineers spending their morning at Sightglass discussing an article about a password manager software being bought and lamenting whatever that future holds for Windows support, you mean? While their white male founder is parading around saying he’s making the world a better place with his singular vision about a grand Kubernetes mumble mumble, but entertaining a slow progression of M&A offers to cash out and just dump the entire company on Red Hat or Google to sort out because “serial entrepreneur” is a better title than ever hitting one nail or dropping one load of fries? Meanwhile, deadlines keep missing because the engineers are busy commenting on this article as noted, and arguing about JavaScript frameworks, and “WFH” every Tuesday and Thursday because commuting like everyone else for $175,000 cash is just too hard for precious snowflake engineers (seriously, have you smelled BART?), and God help anyone who schedules a 10am meeting. Remember, machine learning is this cycle’s password to get a YC check, and start your own journey to enriching your wealth and throwing a bunch of starry-eyed people who mystifyingly trusted you into whatever horrible business unit of whatever horrible corporation writes you the check you’ve earned on account of your complete lack of professional experience, biological fortunes, and who you’ve done cocaine and/or Bitcoin with most recently. Oh, and you were so busy making money, you didn’t stop to notice you’ve literally handed every nation state in the world citizenry command and control capabilities they only could have dreamed of before this stupid industry found a whiteboard and daringly ventured, “what if we put millions of dollars into letting Justin Bieber type 140 characters to fans, because that could never go wrong?”

Did you mean that kind of meme? If not, I may have some bad news.

You added an unnecessary level of indirection. The startups don’t have memes. They are the meme.

You could make that same comment without throwing 'white male' in the mix and it wouldn't have lost any substance.

I'll take 'my humans and I' style cringe over laboriously pointing out somebody's skin colour and gender as defining characteristics any day. There's nothing intelligent about it.

Actually, it’s a well-founded specific criticism (all of them are; no accidents there) of an underlying problem which contributes to the very concept I’m laboriously explaining. I note you didn’t refute my point at all, choosing instead to somewhat ironically call it unintelligent, and that you’re vaguely upset about it without a clear path to proving me wrong should speak more to what I’m trying to tell you.

I don't really see how most founders being white is a criticism - sure most of them are in a position of privilege, but that's because they're born into the upper classes and went to universities whose degrees cost more than most people's houses. The race factor comes from the fact that the disproportionate majority of wealthy families in the US are white. I mean, you don't see a proportional share of black or hispanic founders in Cali but you also don't see a proportional share of working-class white founders from the heartland either. We have the same thing in the UK.

I for one am having a hard time discerning your point, white males or no white males. The point between the lines seems to be that you wish you were getting rich.

I agree with most of the other criticisms except the identity stuff, because I'm disappointed by our industry. We were going to open up the world and make it a better place but it seems to have gone off the rails and become much more like the finance industry or other grim husks. The pretense remains but the reality is pretty cancerous. The platforms that are supposed to bring us together gave us depression, massive political division and put us under constant surveillance. The innovative ideas gave way to chasing fads for that sweet vc cash. The decentralised experimental currency is now penny stocks on steroids (although you could argue that was inevitable). I guess you could say the utopian vision died a sad death and not everyone wanted to see it go.

Utopian hubris, perhaps. Subtle distinction.

yeah that could well be the case. Either way, the prospect of your industry making a positive impact dying before your eyes is lame, whether it was ever really capable of that change or not.

That is the interpretation I’d expect from someone bought in, to only see people and their perspectives along an axis of wealth generation impetus. I’m sorry to disappoint, but also realize I’m probably incapable of explaining it to you, since my perspective is an imaginary component way off of your real number axis.

I’m boxed in a corner. If I explain it one way, you’ll interpret a Luddite sentiment. If I explain it another, you’ll interpret an affinity toward socialism. Yet another, and you’ll conclude I’m mentally challenged. I’m still working on vocalizing my detest for the valley and this audience in a form which is productive as opposed to punitive, so you’ll have to check back with me when I’ve matured that.

That's a relief. Apple acquiring 1Password would torpedo any chance of getting a decent implementation on Windows. The implementation and integration on OS X are sublime, but Windows still leave a LOT to be desired.

And NO Linux client. I keep hearing great things about 1password, but lastpass runs on my systems..

The 1Password X extension works great on linux [1], including Chrome and Firefox.

We use the Teams feature with developers across macOS, Linux, and sometimes Windows. The web interface allows us to manage multiple password "vaults" in a single place, and those credentials are then easily accessible via the browser extension.

[1] https://support.1password.com/getting-started-1password-x/

It's sometimes a bit funky in the update times though. I'll add a password or note and I'll have to wait till the next reboot or some other uncertain amount of time until I'm able to access that pass/note in 1Px

Still blows LastPass out the water even with that flaw.

I agree that 1Password on Windows has issues, but I feel like the developers got screwed by Microsoft on this one: they went all in on a UWP version, then had to throw all that out and basically start from square one when it became clear that UWP was a dead end. So I cut them some slack on that score. 1Password for Windows is improving, it's just taking a while (version 7 is a big step up, for example)

UWP is such a dead end that all new Windows 10 APIs are UWP only.

Last time I checked, about half of the windows market is running Windows 7 which doesn't support UWP. So UWP is a dead end for anyone who needs broad compatibility.

Windows 7 is a dead end. UWP is the future, however shitty it currently may be.

Windows 7 is having beers with XP at retirement home.

How exactly is UWP a dead end? Genuinely asking.

> Apple had very specific requirements for this deal, code-named B2

Guess B2 was the code-name for a different project, one focused on leak detection.

That's weird — I'd read on the internal memo it was going to be called K5.

Certainly wouldn't be the first time a company didn't want the public to know it was talking about being acquired.

There's a difference between being quiet about an acquisition and just completely lying about it though- especially from a company that relies on being considered trustworthy

If they said, "1P doesn't comment on rumors, etc or we have no comments at this time" like Apple it would be very off brand for them and would make people assume they were getting bought. If they didn't say anything people would assume they were getting bought. So all they can do is deny without blatantly lying such as they can't say something like, "we have had no talks with Apple about an acquisition or offering our special program to apple employees.". But they can say something like rumors are false, since they don't say what part of the rumor is false, and they aren't planning to sell until they actually do. We'll know very soon if Apple employees do get a special version soon and if that part of the rumor is true, one can assume they eventually will purchase them, or talent purchase.

They say that they currently plan to remain independent. It doesn't mean there're no acquisition talks. And also this doesn't mean that there're no conditions under which they consider being acquired.

Very glad to hear it. Last thing I need is for a neglected/abandoned Android version of 1Password.

That's encouraging. Given the usability (or absence of such) of iTunes etc. I would hate to have to look for replacement for 1passwd.

Negotiating tactic perhaps...

There's rumors that Apple will release a Prime like service. It would be very nice to see Music, 1Password, iCloud Storage, and whatever TV show they are working on bundled into an annual subscription.

It would be lame if Apple bought 1Password and continued to charge for it. It doesn't have the same economics of stuff like storage or music streaming and should be free if backed by a company like Apple. I have no problem at all paying Agile Bits, but I don't want to pay Apple for a password manager.

So, on one hand, I agree, password managers/FIDO should basically be part of every OS/browser and tech companies should come together to make it all interop seamlessly for the good of society.

On the other hand, the biggest barrier to adoption that I have found is people losing their master password. And supporting good account recovery is difficult and expensive. A subscription service that actually had a real way of validating identity for account recovery could be something worth paying for, for people who are not very tech savvy.

Maybe we can come up with a good account recovery service without dedicated customer support folks, but the moment you have a bad experience, you're probably going to go back to Password123.

Any possibility of account recovery completely torpedoes the product's security.

But in the real world, should there be account recovery, or wide spread password reuse where hacking random sites gets people's passwords to more important sites.

Neither. And that's a false choice.

That's really interesting, keen to read more if you could share a link? The only thing I could find was this - https://redef.com/original/apples-prime-and-explaining-apple...

Had this thought yesterday when I switched to Apple Music and wondered why they don't bundle their services... could even offer regular handset updates.

They could of course do that without an acquisition, just a business deal with 1Password.

Could someone please try to convince me why I should be using anything other than Bitwarden? In years past I’d exhaustively review my options for password manager. When LastPass was acquired by LogMeIn I stumbled upon Bitwarden and haven’t seen any news or commentary which has caused me to rethink that decision.

Edit: zero affiliation with Bitwarden

Why don't you convince us?

1Password seems to be OK. I use it and pay subscription. Except for frustrating login experiences with some websites, don't have any problems.

Never heard of Bitwarden, doesn't seem particularly compelling compared to 1password.

1Password is amazing. Hopefully Apple doesn't even touch them, and they continue developing that CLI that's been hinted at and teased a few times.

Isn't the CLI already released? See https://support.1password.com/command-line/

I haven't used it, so I'm not sure how feature-complete it is.

I tried to use it, but the syntax is way more complicated than it needs to be to retrieve a simple password. After 10 minutes of trying to figure it out I gave up and just used pass instead.

If anyone knows how to use it to retrieve passwords / copy them to the clipboard, I'm curious because we use it at work.

edit: It looks like it might be possible [0], but it requires a long command or a command alias. The lack of tab completion is kind of problematic though.

[0] https://gist.github.com/justinline/e11ac0f08f267502b9e963624...

    op get item <name or UUID> | jq '.details.fields[] | select(.designation=="password").value' | sed 's/"//g' | pbcopy
will put the password for <name or UUID> on your clipboard on a Mac. (I'd probably wrap everything before `| pbcopy` in a function so it's easier to call and use directly if you don't want to copy the value)

Neat, TIL they have a CLI

1password is a proprietary walled garden. There are many like it, and they are all traps.

It's not a trap, it's just convenient to use. I can export my data in a CSV format that can be imported in another password manager if I choose to do so in the future.

The format is also openly documented [1] so theoretically third party clients can emerge to consume that data.

> We believe security shouldn't be proprietary. 1Password only uses standard, documented data formats and encryption methods, so you can import and export your most important information at any time.

[1] https://1pw.ca/whitepaper

It's a trap because you have no way to audit the code, you have no idea what they are doing with your information, and some of us are unwilling to trust the word of a charismatic CEO.

I also have no way to audit how UPS handles my packages, how my dentist handles my records, how Papa Johns handles the ingredients that make my pizza, etc.

It's pretty standard to not be able to audit a company, and most of us do business with all of those companies anyways.

> how UPS handles my packages

It's pretty obvious when UPS mishandles your packages, it's either missing, damaged, visibly opened (e.g. security tape broken). It's likely very rare that they would 'mishandle' a package in such a way that you would not be able to notice. Companies like 1password can (and likely do) use your information in ways that are impossible for you to detect, so this analogy does not apply.

> how my dentist handles my records

In the US, you have HIPAA, and there are big penalties for mishandling medical records. The same does not exist for businesses like 1password, so this analogy does not apply.

> how Papa Johns handles the ingredients that make my pizza,

There are sanitation and food handling laws (in the US), and food service companies can get shut down for mishandling food. The same does not exist for businesses like 1password, so this analogy does not apply.

Edit: Since HN's commenting system arbitrarily limits the depth of comments:

My point is that your analogies are not similar. In your analogies, there are legal penalties for violation, whereas in the case of 1password, there are 0 legal penalties and very likely 0 financial penalties for malicious behavior when it comes to your information. In case you still don't believe me, see: Equifax. We can all trust their CEO now, right? (wrong)

All of my analogies are intended to be similar situations, not identical situations. It's inaccurate to say that they don't apply because they aren't identical.

Yes, there are regulations and consequences for mishandling food and patient data but I still have no personal way to ensure that these practices are followed. In the end, you have to trust the entity that you are doing business with. The same applies to 1Password.

I have no way to audit the code of an open-source password manager either, because I'm not a security/encryption expert. So either way I have to trust in third-party auditors, and 1Password has been audited and found secure.

In that case, would you rather trust a crowd of people not affiliated with the company, or (best case) a handful of other companies paid by the company (with an almost certainly controlled press release)? I'd choose the former, but 1password and other proprietary solutions don't want you to choose that.

For encryption and security software, I'd rather trust experts. "The crowd" is useless no matter how big it is are if they don't understand the domain, hence why even FOSS can contain security howlers like Heartbleed or the Debian OpenSSL fiasco.

Which is not to say that FOSS can't be secure, but getting back to my original point, since either way I have to trust experts, I might as well pick the product that wins on functionality and polish.

Who said folks in 'the crowd' aren't experts? Sure, many aren't, and there's noise, but you get that same thing even with 'professional auditors' (some pass themselves as experts but aren't). In the latter case, at the end of the day, you have to trust some charismatic CEO because you have no other option if you want to use their product. That's a terrible wager to take from a security perspective.

I don’t understand this deal. What’s in 1Password that isn’t in iCloud Keychain or easily added to it? Windows and Linux support? Is that worth much to Apple? If so, why?

When 1Password noticeably improves the usability of all your competitors’ platforms, buying it and killing it makes sense.

I'm a LastPass user and have never used 1Password, but is 1Password really better than the competition (like lastpass)? Buying your only competitor and shutting it down is great, but buying one of many similar competitors just seems like it would bolster adoption of the others and improve their market position more than it would improve yours.

1Password is an order of magnitude better regarding the UI and UX.

Luckily there are plenty of alternatives that are comparable.

Probably the team vault management stuff and ability to use it across different browsers. There's a lot to be said for not-adding any kind of group management to iCloud Keychain.

I've never understood the appeal of paid password management services like 1password. Is there any benefit to using this over something like KeePassXC + Dropbox?

You can also sync 1Password with Dropbox and avoid a subscription or the cloud service.

It also has a neat feature where it can discover other peers on the network and auto-sync the password for use when the clients are offline.

Overall, the quality of 1Password is amazing and I'm sure that had a lot to do with the fact they get paid to do it to. Open source is great and I don't know if KeePassXC has a revenue model but I personally think my money spent on 1Password was put to good user.

Browser integration tools, mobile apps, shared passwords.

> Browser integration tools


> mobile apps


> shared passwords

Cannot be done securely.

Usability. 1Password on my Mac and iPhones with iCloud as backing storage “just works”, and I trust iCloud more than Dropbox for secure storage.

Disclaimer: Using 1Password 5, which was a one time payment.

KeePassXC and Dropbox "just works," and it works on Windows, macOS, Linux, *BSD, Android, iOS, ...

Dropbox can be swapped out with other storage services.

> KeePassXC and Dropbox "just works," and it works on Windows, macOS, Linux, *BSD, Android, iOS, ...

At least on iOS, this doesn't appear to be meaningfully true. With 1Password if I have navigated to a site's login page in Safari, all I need to do is hit the 1Password Activity button and it will populate my name and password.

With "Keepass Touch for iOS" my options are either: "You're browsing wrong. If you want to log in to something, use the integrated browser" or "switch apps from safari to Keepass, copy username to clipboard, switch back to Safari, paste username, switch back to Keepass, copy password, switch back to Safari, paste."

No thanks. This is still meaningfully behind in the usability department.

Why is that? Dropbox has a pretty good record, no?

And ultimately, the point is 1password’s db should be well encrypted so you don’t have to trust the underlying storage.

> Why is that? Dropbox has a pretty good record, no?

Not so much. My creds were leaked in their 2012 breach.



They’ve been around since 2007 and are an obviously juicy target. To me that’s pretty good.. even companies like google get hacked.... and that breach was 6 years ago? Any major breach since then?

> secure storage

The passwords should be encrypted at rest (and are with KeePassXC), so Dropbox' (or iCloud's, for that matter) security is irrelevant.

> Using 1Password 5, which was a one time payment.

Version 6 was a free upgrade.

If Apple has thus far dogfooded iCloud keychain, will it now suffer? :(

Could it possibly become any worse? The UI has always been lacking, and functionality has gotten worse over time (e.g. aws-vault cannot actually work without popping up a prompt window every other minute since a recent update to OSX). Discoverability is poor, there are a hundred keychains ("login", "icloud", "system") and even I as a security conscious IT professional don't know what they mean, god have mercy on the casual user finding their way. Where are which passwords stored? WiFi passwords are stored across multiple chains depending on OS updates, but not migrated across. To view the password of a single item I have to enter my password twice, for some reason: once to.. unlock the keychain, once to unlock the item? Or to allow "keychain" access to the item? What?

God, the icloud keychain cannot die soon enough. What a shit show.

Wow, it's interesting how different people's perspective can be.

One of the deciding factors for me switching 100% to iOS and MacOS was the unified keychain across all browsing and apps. For the first time in ever I rarely do password resets in an app. There are a few apps that "brilliantly" roll their own password input fields and those don't work, but they are rare. And a few websites that split the username and password onto separate screens that are kind of hit or miss, but again rare. And on the ios12 beta, the keyboard grabs one-time sms codes and auto-inputs them with one tap.

From my layman's perspective I have one keychain and it has everything in it. And it just works 99% of the time. But I don't use it for AWS anything. I don't know or care about the different kinds of keychains -- they just work.

Not doubting your experience, just wanted to throw out there another one.

I only wish Authy (my current preferred 2 factor token generator) was more integrated with the Apple keyboard, but it has a widget that makes things pretty quick.

The 'acquisition talks' appear to still be a hearsay rumor but who knows. I am an Apple hardware/OS user, but I prefer other companies' services. Worried if there is an acquisition that Apple will make an inferior product and shutdown 1Password :/

Apple already has an inferior product, the password syncing service built into iCloud. I'm not sure I see what value 1Password has to them at all except for it's cross-platform support and more robust feature set.

Agreed, worried an acquisition would just absorb 1Password into the existing inferior product.

I hate it when big companies do this. They often shut down good products and then years later they've only implemented a fraction of the acquired product's feature set into their own product.

I'm hoping this leads to a better integration API for password managers in general on iOS. I use Bitwarden, and it's a real pain to log in to native apps using it - you have to copy/paste between the Bitwarden app and the app you're logging in to.

I've spoken with the Bitwarden team and they indicated that it was a limitation of iOS and there wasn't anything they could do on their end.

App store preview link: https://itunes.apple.com/us/app/1password/id568903335?mt=8

(no additional info, just for convenience looking it up)

I think this is in fact a good omen for the Standalone version of 1P. If Apple is going to be using that, you know they will not discontinue it as I was fearing they'll do some day or another.

May be they're just testing iOS 12 third party password manager integration?

Acquisiton? This doesn't bode well for the Windows version of 1Password.

Why wouldn’t they extend their own native password management tool instead?

If this is an acquisition, Apple would integrate 1Password into their ecosystem, enriching it immeasurably, but the Windows, Linux, and Android versions would almost certainly be abandoned. That's a shame.

I'd view this as a way of adding support for Windows and Linux. One of the most irritating things about iCloud Keychain is that on my work computer (linux) I have to whip out my phone and look up passwords in keychain. Migrating to 1Password (and seamlessly integrating it into iOS) would be a huge value to everyone if they maintain interoperability. If they kill the other platforms, they gain nothing.

Apple makes Windows and Android apps, I don't see why this has to be different.

They make a very limited set of Windows and Android apps that are all clearly intended to drive sales of Apple Music and their hardware. (One of their three Android apps appears to be a "move to iOS" one, too.)

1Password for Android doesn't drive any Apple product sales.

Then again, when Apple acquired TestFlight, they discontinued support for Android with only 1 month's notice:


If Apple just wanted a password manager for their ecosystem, they already have one. iCloud does this. I'm very skeptical o the acquisition aspect to this story; cross-platform support, key-sharing, and enterprise management are probably useful features for Apple's employees but not particularly aligned with their consumer-facing service offering.

Hope they keep things working well for current customers

Off topic : does anyone know why using these kind of software would be more secure than storing the password ourselves in text files ? I fail to understand as hackers / virus makers just now need to hack one software to get everything

Seems obvious, these managers store the passwords in an encrypted file. Requiring one (hopefully) really good password to lock it all down plus a 2nd factor option like ttop or fingerprint.

I only have to remember one long complex password that I have never used anywhere else and that secures and encrypts all my other passwords. And rather than searching and copy pasting, a browser extension can fill in passwords when I request.

Add to that, a password manager generates a long and complex and unique password for every account I have so I don't have to make one up or go to another source to create it.

And one of the coolest features, though it doesn't work everywhere and I am only familiar with LastPass, is its ability to automatically change passwords. On certain sites, I can tell it to rotate all the passwords in my file. It logs in and makes the changes for me.

You can encrypt a text file on your computer as well. Doesn't change the fact that once decoded in memory or sent via the web browser it's all clear what your password are (here are the true security threats)...

They don’t store the password, they store the cyphertext where your single longer password is part of the key. If you wanted to do things that way yourself, my understanding is that you’d be just as secure if you stored the cypher text in a file on your computer.

Also these companies provide nice integrations with web browsers and OSes which makes using complicated passwords easier.

It’s true that a hacker with your master password would own the keys to your life, but that’s often true in general: despite repeated requests to not have a single password, most people have a one or just a few passwords they reuse everywhere. This is a better way because you can focus on remembering one big password, add 2FA, and have unique, complex passwords everywhere else.

Now hackers only need to focus on such application like password manager and they can impersonate you

If you are able to remember and type different passwords that encode 96-128 bits of entropy for all your services, logins and passphrase needs, without re-using a password or elements of it; then sure: it might be "more" secure to just use passwords.

I haven't looked too closely at 1password - but with for example bitwarden the master password is used via kdf to encrypt all data client side. If you don't self-host - you're still just a single service away from compromise (an attacker could log the passphrase in a compromised client) - but on balance I'd say it's more secure than trying to memorize dozens or more strong passwords.

Password managers facilitate password strength best-practices, which without them have ~0% adoption rate.

I prefer and pay for 1Password's subscription but I already tested the export and import into enpass.io: It works very well!

If the acquisition takes place, I will switch immediately. I am against vendor lock-ins and Apple is the first company I associate with that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact