It uses gpg to encrypt passwords that are then stored locally, but can be synced using Dropbox, rsync, unison, etc. It is a command line program, so it doesn't have things like browser integration, but on a mac, a little Automator magic alleviates most of that pain. Besides, after trying 1password, lastpass, and a few others, the browser integration was usually a source of frustration instead of convenience.
For my setup, I have a keyboard combo mapped to an Automator action that gets the current URL from Safari, passes it to a shell script that strips out the hostname, then uses pass to copy the password to the clipboard for 45 seconds. Then, I use another script to have a notification pop up with my username in case I've forgotten it. So I press "cmd+\", then a second later I have my password in the clipboard and my username showing on a temporary desktop notification.
I'm also using pass to store bank credentials, software keys, and other things. I also have it set up to use a different gpg key to keep a journal. It has turned out to be a very versatile and reliable piece of software.
1) one of the reasons I use a password store is to share passwords with my wife. I can't imagine her using this
2) iPhone? Android?
3) 1password's integration with the browser is very helpful: since I've been using a linux box as my day-to-day machine (where 1password doesn't have a native version), I've been using it significantly less, because it adds friction. On Mac OS, I would just auto-gen a horrific 12-16 character random password for any website, and have it automatically saved to my 1password.
As you might guess, I have high hopes for Mitro, especially if they (well, I guess it's now we) can create a compelling don't-use-their-host story (either hosted, or file-based (eg. dropbox)) and pass at least a cursory security smoke test. :-)
It depends on how you do it. If you use the local app storage, it's protected via the OS. Only the App itself can read/write from it.
If you use "USB Storage" then the data is stored on the sd card or equivalent. Any other app with the USB Storage permission can read or write to that directory and it's very much not secured.
As for interfacing with other apps to "autocomplete" your password, there are permissions and ways to do that too, although I can't speak for them since I've never done it.
iOS8 makes it possible (thankfully!): http://blog.agilebits.com/2014/07/30/introducing-the-1passwo... - although I'm not sure how it'll work if you store your keychain on Dropbox.
From the homepage:
> pw is an alternative to pass, keepassx and other similar programs.
> The main points of pw are:
> * The passwords are stored using a simple line-based text format.
> * Passwords can be protected using public-key encryption or symmetric encryption. Or both.
> * No information about the accounts is stored in clear-text.
> * All the work is done using only GPG and Unix tools.
> * The output is easy to use in pipeline with other tools.
> * Follows the XDG Base Directory specification: no clutter in your home directory.
Pitch in on Github: https://github.com/mitro-co/mitro
Would you mind talking about your strengths and weaknesses compared to KeepassX?
This is a very particular kind of attack, however, and it doesn't necessarily mean other weaknesses will be exposed. Cryptographers, though, are a conservative sort by nature, and many feel more comfortable sticking with AES-128, which was part of the original Rijndael specification and what was designed most rigorously. AES-128 also seems to have had the fewest weaknesses developed against it. The fact that any attack succeeded in reducing AES-256 to below AES-128's security can give crypto folks pause.
I think realistically they are all very safe and AES-128 is unlikely to be broken by anything within the next decade. After that? I wouldn't wager.
It does not seem anywhere near as mature as Lastpass though. There are no additional features such as a credit card or notes store. Also, it seems buggy since I was only able to login once through the Chrome extension.
I guess I will stick with Lastpass for now.
It's a sunk cost at this point, but owning 1password on 3 platforms is expensive. $70 for my laptop and desktop, and another $18 for my phone. But I bought into it because the Mac version is great and I was primarily a Mac user at the time. Oh well.
Yeah, it's pricey, but in the end I think it's worth the aggravation and time it saves me.
The notification says it's synchronizing with my chosen cloud provider, maybe it doesn't want to get inadvertently killed during that process. Okay, fair enough. But can't the notification be removed after it's done? (An honest, if rhetorical question; don't know enough about Android to say for sure.) I have enough special snowflake apps sticking their crap in the notification bar, one less would be nice.
You are not alone in requesting less clutter in the notification drawer. This is a popular request that we have received from a number of our customers.
We pride ourselves in considering all feedback from our customers and I'm happy to say that we've made improvements in this area. In our upcoming 4.1 update, successful sync notifications will be automatically cleared from the notification drawer.
We are planning to release the 4.1 update on August 19th. Feel free to read our blog post for additional details: http://blog.agilebits.com/2014/07/26/1password-4-for-android...
I'm using it on Linux (under Wine) and works well. The Chrome extension is a lot better.
Agreed. The v4 Windows client is much, much better than the old v3 - and finally allows you to use the same Chrome extension. I previously had to run two versions of the extension (and all the frustration that brings) if I wanted to use 1Password on my Windows installs.
It has desktop app, a browser extension as well as android and iOS apps.
I'd been dual-booting OS X / Windows on my desktop already because Apple's GPU drivers are garbage, so it wasn't a huge step. Dropping OS X completely was mostly based on being a game dev hobbyist who's doing a lot of 3D work and digital painting. OS X had turned into a web browsing and email platform for me, and I can do that just as well elsewhere.
The experience with 1password is far from unusual though; Windows doesn't have a lot of developers making software of any quality. For every Mac program I try to find a substitute for, Windows has 30 different options that are all equally bad (looking at you, IRC clients that aren't Colloquy). So if you rely on a lot of little 3rd party software, it's not a good ecosystem. But if all you need is Firefox, blender, Unreal Engine, and Substance Designer, it's not a problem.
And that's not even mentioning the price of a Mac with an upgradable GPU. I could do yearly GPU upgrades on my desktop and still be cheaper than a baseline Mac Pro.
I love the functionality of LastPass, I really do, but man their UI is terrible. I trust them from a security front though and in the end that is what matters most to me.
If Mitro builds up that same rep then I'll switch over, but until then waiting it out. (sorry!)
 https://spideroak.com/  https://github.com/devgeeks/Encryptr
While I really appreciate the value of having the client and server code open sourced I don't want to run my own server nor do I want to sign up for a service that, with the changes that will likely happen after the acquisition, could disappear without a lot of warning.
Can anyone clear this up? from Mitro, EFF?
Congrats and thanks!
Do I seriously have to click manage->delete secret thousands of times just to reset Mitro?
(Sorry, didn't meant to be that guy, but seriously don't know why people expect a clearly new piece of open source software to do everything they want.)
* KeePassX has a consistent UI across Windows, OS X, Linux
* It's a small, portable binary. I've had good luck running the Windows and Linux binaries off of USD drives.
* Alpha 5 and Alpha 6 have been really stable. I started using Alpha 5 and haven't had a need to look back.
I've been recommending KeePassX as the go-to password manager for Windows, OS X, and Linux over Keepass.
KeePass' encryption is quite solid -- if it starts to show some cracks in the face of quantum computers or whatnot somewhere in the future, I can always upgrade and change my passwords so the old database isn't valuable any more.
That'd be a PITA, but I don't expect this to happen -- nor for the govt to come up with a huge vulnerability that no one else sees -- so that's the kind of bet I'm comfortable taking.
I don't need realtime sync, I'm happy to manually copy it across when I make changes, just curious what the proper way to do it is, if not via Dropbox.
It's Snowden-approved! http://blogs.wsj.com/digits/2014/07/17/snowden-says-drop-dro...
I have an android phone. I use a technology called a "USB Cable" to transfer files onto it.
Sadly that is also very insecure:
but at least it is safe against remote intercepts.
"For security, the online password databases are encrypted with client-side keys derived from your master password"
> but not increase the number of possible keys
So yes, if your password is weak, then it won't make it strong.
> while actually lowering security (since hash collisions can occur)
But I think you're wrong here. On a human password of 30 bits of entropy, there is very little chance of collision. If one collision was to happen, you'd still have a key space of (30^2) - 1, which is very much the same number.
edit: they may be salting with the username or email address.
Personally, I'd trust Mozilla with at most my bookmarks/settings/tabs. Keep your security safer with people dedicated to just it. Doubt that's an endorsement for Mitro, though. At least for now.
Why would Mitro join Twitter’s location team to work on "geo-related projects" instead of identity and authentication projects like "Sign in with Twitter"?
Looking around, this has a long way to go before it is able to compete feature wise with current commercial managers.
Also, it's going to take a long time, security-wise, to get up to par with the current commercials as well. It sounds like I'm being harsh but there are a lot of possible issues to consider. An HSTS header would be a nice start......
So unless you want to spend a lot of time repeatedly trying to delete duplicates (created by failed imports) and/or every single entry, stay away, for now.
Cost is zero, available on all platforms that you care about, and it's a stable format. What more do you want?
Cleartext cloud storage is a no-no. Browser integration from my POV is really dangerous as well... trying to keep secrets using the most widely attacked platform out there sounds like an exercise in futility.
*You can't beat the carrot!
Passwords? They're for Sundays.
Doesn't matter; nobody is going to remember fifty different ones. I have more website logins that that. Password reuse is going to happen and it is bad.
The only secure way is for each password to be made up of a unique long, generated string of "random numbers, letters, symbols" for maximum entropy and stored in a password manager. The user just has to remember the password manager's master password (and maybe a desktop PC login). Now these remaining memorised passwords can be long nonsensical sentences if need be.
I meant the master password. Mitro's password strength meter uses guidelines which are becoming (are?) old. So let's just move away from that altogether (for passwords that people should remember) and doing something that makes it easy to use lots of characters.
Given the complexity, many people I know just save their passwords in plain-text.
Am I wrong in expecting it to work exactly like Lastpass did?
"Congratulations on adding your first secret to Mitro"
This makes me a little uncomfortable. How do they know? Why should they know?
Edit: I could not find those words in the github repo.
Mitro is distinctive amongst free/open source password managers
in that it's architected around cloud storage. For security,
the online password databases are encrypted with client-side
keys derived from your master password. For availability, they
are mirrored across three cloud storage providers. With this
design ... passwords can be synchronized across all of your
computers and devices with minimal effort.
So presumably they sent the email only after I sent them the first "blob of gibberish" telling them I added _at least_ one entry to my password database.
Presumably they don't know if and when or how may entries I have. In this case they only noticed the first time I sent in my encrypted database.
We unfortunately don't have a great description of the protocol. The closest you can get is to look at the RPC proto spec:
It's not been a flawless experience, but it works -- what are the problems you've seen?
I say this as a mostly satisfied LastPass (Personal) user.
I suspect there are bugs in how the (locally-cached) LastPass vault stays up to date, possibly coupled with a delay on the server side for updates to be propagated to all vaults.
Just from my experience working with encryption... I'll bet the sharing process is fiddly, and they have some unresolved flow problems. E.g., imagine a new folder share offer is encrypted and queued for the recipient's vault, and can't be merged in until the recipient next signs in... but depending on their browser plugin settings, they may only sign in once every few weeks. So the plugin pings for queued updates and can send up auth keys... but already we're getting into enough complexity that bugs would be likely.
(I don't actually know how their folder sharing functions, but deploying encryption where the server only occasionally has the keys can quickly make simple requirements turn into Rube Goldburg contraptions...).
In our case, the shared folders eventually showed up for everyone (we specifically tried signing out of LastPass and restarting browsers... though I don't think we quite nailed down an "always works" solution), and once the basic shared folders were set up, it was smoother sailing.
It actually is possible to create unique passwords for every website and remember them without inhuman displays of memory. To do so, there are two basic things you need to remember:
1) A unique base password
2) A simple hashing function
The input to the hashing function can be the company's name or website address (an overly simplified example - your hashing function could be the first two characters of the website's domain name). A unique password for any website could then be:
password = hash_function(domain) + base_password
A very simple way to create unique passwords for every website, inhuman memorization skills not required.
not so with external websites — if you use the proposed strategy on two websites with poor security (something which is completely opaque to you), your passwords are compromised.