Regardless of your answer I think these questions make it clear that you should definitely consider adding some more detailed explanations to your website about how exactly your product works. Especially for a security related product this is pretty important.
I say this as someone who is very interested in paying someone to solve this problem for me.
We actually have a security FAQ up here: https://www.meldium.com/security. The link is currently buried in our TOS, thanks for pointing out that we need to give it more exposure! We're definitely open to feedback as to what's not adequately covered.
It also means employees at Meldium, Heroku, and AWS (and someone who can compromise the security of any of these) has access to your passwords.
It's probably a reasonable trade for a lot of services -- I'd probably use it for an analytics dashboard, etc., but probably not for admin interfaces to do stuff to customer data (which you presumably could set up with individual user accounts and group/role management, anyway). This seems to be aimed at the ~bunch of low security passwords which are either the same across your whole business, or stored in a google docs spreadsheet now, not the most important credentials for your users.
I'm going to take that as a yes. Given all the recent hackings of Google, Apple and Zendesk, I don't think I would feel comfortable storing all my passwords unencrypted with anyone.
When you say "on our end" what do you mean exactly? You log in from your servers? So the password never actually gets sent to the employee? Just the session token?
It turns out that there are very few services for which this is the case (imagine if you had to log back in to everything every time you switched wifi networks). Having said that, we have some innovative ideas for supporting the few services that have this restriction - stay tuned to http://blog.meldium.com for details.
So any service this works for (sans the manually integrated ones with service knowledge) should be highly suspect for security practices, as they are doing nothing to prevent session hijacking. You're basically offering Session Hijacking as a Service. That's rather genius.
I don't mean this to criticize you, one of the first scripts I ever sold was a better UI to a service that basically used Cross Site Request Forgery to do the work.
I submitted something very similar to YC last year with the same implementation. Works in practice but it's insecure.
The solution I'm going with now is a native client that creates the cookies locally which the browser extension then accesses. Mine's also not immediately marketed towards teams but rather individuals.
This can be done using SSL proxying. You can run a proxy server and send the HTTP login POST request (with a fake password) through the proxy server. The proxy server can in turn replace the fake password with the actual password and forward the POST request to the end website.
It is also possible to run the proxy server on the end user machine and use a mechanism called SSL tunneling to securely replace the password. Its hard to explain it here but it can be done. The benefit of running the proxy on the end user machine is that you don't have to route your traffic through a remote proxy.
I have a system which has this thing working - will open-source it under github soon.
I doubt it's a local proxy since it's a Chrome/FF extension. Or maybe I've not kept up with the state of Chrome/FF extension development and it is completely possible to write a proxy that runs within the browser.
This is really cool. We use 1password with the 1pass file stored in a Team dropbox, but 1pass still doesn't have any group-facilities so we have to revoke/change passes by hand when someone leaves, etc. Very much looking forward to trying this out.
One thing that groupware password things never remember is that folks like to use their personal services, too, and requiring multiple-accounts for personal stuff is not workable.
Is there support for personal (e.g. private only to my login) accounts? That way, I could store all my stuff with a single browser plugin...
Yes - by default your logins are only available to you, and they are only shared with the individuals that you explicitly add. We definitely want folks to be using the same tool for both team and individual passwords.
Sharing an account is a breach of terms of service on most of the services where this system would be used. It's really not clear to me whether every supported service has actually opted in to being handled by Meldium, or if it's something driven by clients, or even simply set up by end users. I could imagine a SaaS vendor might not be very happy with someone providing tools to help users get around their per-seat licensing model by automating account sharing...
We're not looking to help anyone evade a vendor's pricing model. The unfortunate reality is that many services do not support multiple user accounts, and customers have no choice but to share.
For services that do support many users, we have deep integration that actually creates individual accounts for every new employee you hire. We have almost 20 of these services integrated now and we're always looking to add more.
We've had the opportunity to talk to many service vendors in the process of building Meldium and the response has been overwhelmingly positive. With provisioning integrated, Meldium removes one of the barriers to service adoption - it makes it easy for a company to add more accounts when the hire more people, and service vendors love this. We're always looking for tighter and higher-quality integrations with vendors - if you run a SaaS app and you'd like to see it supported on Meldium, ping me at brad@meldium.com and we'll find a way to make it happen.
Thanks.. but you still didn't make it clear whether Meldium always works with the service-provider's co-operation and authorization, or whether you support account-sharing for services your customers want to use, without the vendor's explicit permission.
I was initially very excited by this as I skipped over the part where it was "Shared App Passwords". I'm currently using 1Password and sharing the password file via a dropbox account, however, as I look into the details, it appears Meldium would only work for a portion of what we use 1Password for.
I need a solution like this, but allows the storage and potential sharing of other types of passwords not associated with a specific website or service (server passwords, door codes, etc)
We definitely agree that this can apply to more than just apps and we may extend to more kinds of data over time. We just opted to focus on apps for this first release.
We think of Meldium as a tool for sharing accounts, not for just sharing passwords. While there are a lot of password managers out there, none of them are built for teams first. Meldium's browser extension makes passwords go away completely - they are never echoed or revealed to your teammates. We wanted to build a product that has geek-level security but also fantastic UX for end users of any technical sophistication.
We think of Meldium as a tool for sharing accounts,
not for just sharing passwords.
Meldium seems to be a tool for sharing web app accounts. Some of the accounts my team shares aren't for web apps.
While there are a lot of password managers out there,
none of them are built for teams first.
What about Passpack, which is what my team uses? Passpack has worked well for us, but I'm interested in alternatives because Passpack doesn't seem to be actively developed (bugs I reported months ago haven't been fixed and Passpack's blog is rarely updated).
I second the bizarre unfriendliness of LastPass enterprise. I have recently been using PassPack (https://www.passpack.com/) which has a decent pricing model and a fairly sensible sharing workflow. Browser integration is only bookmarklets and not as strong as LastPass's browser extensions, but for small group password sharing, it's been convenient enough so far.
"The second is a split infrastructure security system, which lets key data such as passwords be entered in by an admin and used for login purposes, but not extracted back out by rank and file users. “With this cryptography, the only thing that can come back out is the logged in account, not the credentials themselves,” Buda says."
This looks great and is close to something I've specifically looked for in the past. My only suggestion would be that the pricing is going to be awkward for my use case.
Typically we work with many small clients and one of our issues is managing access to admin sites etc for these clients across our team. We have relatively few 'users', perhaps 5 - 10, but a large amount of shared apps. I currently have around 100 sets of login details on file in 1Password.
Scary as hell. Download password safe and keep your crown jewels at home! I don't care if users never see the password or if they are encrypted on their side. Giving your Twitter, Github, or AWS?! keys to someone else. Jesus, this is the wrong idea and anyone who gets burned deserves it! This speaks to a wider trend of turning your business information over to other people. Your internal helpdesk, mail, wiki pages, your source code, and now your passwords?! Come on. A rouge employee and you are fucked!
It would be interesting to see what they offer if someone exposed their database and caused your financial ruin?
Don't worry about the rouge employees it is easy to spot the red ones, it is the rogues that you need to worry about!
But I fundamentally agree, you need to consider that in many cases you are not just subject to your own risks and threats (internal and external) but each of your suppliers (and their suppliers such as Heroku and AWS) and their internal and external risks added to yours.
The article doesn't really make it clear, but for each of those services we support (and prefer) multiple accounts. They can be connected under the "Team Services" link in the tool.
I'm not terribly worried about ex-team members improperly accessing accounts and the like. There are pretty powerful legal deterrents in place to prevent this not to mention that I believe our team is trustworthy. Plus, common sense dictates that we only give super sensitive account credentials to a couple people.
On the other hand, I'm terrified of giving my account info to a 3rd party. Seems like the sweetest hacker target ever.
I have been waiting for 1Password to add some kind of team feature for years. Even if it was as simple as adding an additional password file with a different unlock password, I would use that in a heartbeat.
They've really left themselves open to competition. Good luck to Meldium taking them on.
This looks fantastic. It sounds like it uses a similar setup as Lastpass, but with a service for startups to manage accounts. They should offer a free tier for end users to store and manage passwords ala Lastpass, and then keep the team focused features as a premium upgrade.
Thanks for the suggestion Jason. Our free tier actually covers up to five users, so it works great for both individuals and small teams. We knew that Meldium would be useful for large companies, but we've been surprised to learn that even very small teams love it too.
Great suggestions - we'll have it soon. If you'd like to suggest apps, hit our UserVoice at http://support.meldium.com/ - we use that to decide what to build next.
Can't I just sniff what my browser sends to the server?
I'm suspicious.
This is a real problem though.
PS: You might want to reconsider that name. Meldium, to me at least, just looks like someone typoed when trying to type Medium.