Hacker News new | ask | show | jobs
by jlokier 1380 days ago
> Why would a password manager need so much money?

The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.

I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.

It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
2 comments
411111111111111 1380 days ago
Isn't there already a standard for that: webauthn ?

Hasn't really caught on, despite being several years in the making already

link
JshWright 1380 days ago
Sure, a standard exists, but that by itself isn't a great user experience. If you actually try to use something like a YubiKey you end up having to register multiple keys with each site to deal with lost key (assuming the site allows that in the first place). The you have to remember which keys correspond to which sites, and remember to get your backup key out each time you sign up somewhere new , etc.

Google, Apple, etc are building on WebAuthN in order to allow a trusted third party to "sync" the keys, solving the major usability hurdle for most people (as with all things security related, there's an obvious tradeoff in injecting a trusted third party, but for the vast majority of people that tradeoff still results in a significant net risk reduction). I assume Bitwarden is angling to build out their own version of something in this space.

https://www.imperialviolet.org/2022/07/04/passkeys.html

link
Ajedi32 1380 days ago
I'm probably more excited about passkeys than most, but I don't see why you need $100M to add support for that. It's a pretty straightforward addition to existing password managers. Might even be easier to support than it is to build a user-friendly password autofill, all things considered.
link
ensignavenger 1380 days ago
I find that the essayist way to handle backup keys is with a printout of 10-20 pre-generated auth codes, which go in my safe. Much easier than having a backup hardware key I have to remove and then replace from my safe, each time I need to add a new service service.
link
JshWright 1380 days ago
Which is great if you have a printer (and are near it when you're signing up for the account, and remember to do it, and remember to put it in your safe, etc...). Just because it's the easiest way currently doesn't mean there isn't substantial room for improvement in the usability of passwordless systems. Most users aren't going to go to the trouble of printing something out like that.
link
eco 1380 days ago
You can also use a pen though your point on ease stands.
link
scarface74 1380 days ago
And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
link
phpisthebest 1380 days ago
Yes, and what is that one like the 6th or more "auth standard" they all "agreed to" before promptly doing their own variations which then get spun into a new standard they all "agree" to before.......
link
scarface74 1380 days ago
Even if that is the case, storing passwords across devices is a solved problem and not enough people are willing to pay for it to be a profitable business.

“It’s a feature not a product”

link
phpisthebest 1380 days ago
Given the number of businesses out there doing it I would venture to guess you are wrong.

Also Bitwarden and other password managers are not just about storing the passwords. For example on a personal level I use bitwarden family to manage my Parents passwords and to assist them with issue on various service, this gives me away to setup accounts and securely share passwords with them for the services, and vice versa

For business we use the Enterprise products to share passwords for everything...

None of which is a "solved problem" at the OS or Browser level

link
scarface74 1380 days ago
Why are large businesses “sharing passwords” between users? What happens when one user leaves?

Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?

link
ctvo 1380 days ago
> Why are large businesses “sharing passwords” between users? What happens when one user leaves?

Because not all products businesses use have fine grain authentication and authorization. For example, their registar for their domain names. And differing employees need access to it at different times.

> Isn’t sharing a password in a business context like “Things you shouldn’t do” 101?

What do you think Bitwarden does? It's fine grain authorization over shared resources (passwords) that control who can access them. You categorize, create roles, and give those roles access to specific passwords. When an employee leaves, you rotate the password. Every access is recorded for auditing. It solves a real business problem.

link
phpisthebest 1379 days ago
Lots of things would not have individual passwords,

Including

1. Hardware Passwords

2. BreakGlass Accounts (used if SSO Fails)

3. Vendor Passwords

4. Recovery Passwords

5. Local Admin Passwords for Servers

We also use it to store Backup Encryption Keys, VPN Tunnel Keys, SSL Cert Passwords, File Encryption Passwords, License Keys, etc etc etc

We also have our own Personal Vaults that are indivualized, so we can access both our Personal Passwords and Company passwords in one interface, that is Cross OS, Cross Browser, and has API for programming interfaces.

none of which is possible with BrowserBased or OS Based Password Storage.

link
toastal 1380 days ago
Realistically? Many services charge by the seat, so for a service that doesn't get used to often, a lot of places will use a shared account as a cost-cutting measure. Subscriptions add up.
link
jorvi 1380 days ago
> and not enough people are willing to pay for it to be a profitable business.

1Password is doing just fine..

link
scarface74 1380 days ago
Now they are also raising rounds of funding “chasing after the enterprise”. Every single time a small bootstrapped company tries to “accelerate growth by going after the enterprise” the product gets worse for consumers. See also DropBox.

1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.

link
selectodude 1380 days ago
>1Password’s desktop app is much worse than it use to be all while each platforms built in capabilities are getting better.

I keep reading this but as a user of 1Password over the past decade or so, the functionality hasn't changed much. I'm confused as to what they're spending all the VC money on because these re-writes haven't done much but in terms of functionality, I think it's best in class.

What am I missing?

link
roustem 1380 days ago
from the founder of 1Password: would love to learn where you think it is worse.

1Password 8 has a ton of new features and it is faster than the previous version. Some of the new features like Universal Autofill and SSH Agent do not exist in any other product. It also fixes many problems that accumulated in the app over the years.

More on features here: https://1password.com/products/features/

a more visual description of what's new is here: https://1password.com/mac/

link
blasphemers 1380 days ago
That's because they did a complete rewrite of it, something they talked about on a couple podcasts before they took on funding.
link