Hacker News new | past | comments | ask | show | jobs | submit login
Mitro Releases a New Free and Open Source Password Manager (eff.org)
248 points by gbarboza on July 31, 2014 | hide | past | web | favorite | 129 comments

I'll use this as an opportunity to give a shout out for my new favorite password manager: pass [0]

It uses gpg to encrypt passwords that are then stored locally, but can be synced using Dropbox, rsync, unison, etc. It is a command line program, so it doesn't have things like browser integration, but on a mac, a little Automator magic alleviates most of that pain. Besides, after trying 1password, lastpass, and a few others, the browser integration was usually a source of frustration instead of convenience.

For my setup, I have a keyboard combo mapped to an Automator action that gets the current URL from Safari, passes it to a shell script that strips out the hostname, then uses pass to copy the password to the clipboard for 45 seconds. Then, I use another script to have a notification pop up with my username in case I've forgotten it. So I press "cmd+\", then a second later I have my password in the clipboard and my username showing on a temporary desktop notification.

I'm also using pass to store bank credentials, software keys, and other things. I also have it set up to use a different gpg key to keep a journal. It has turned out to be a very versatile and reliable piece of software.

[0] http://www.passwordstore.org

Very nice, but:

1) one of the reasons I use a password store is to share passwords with my wife. I can't imagine her using this 2) iPhone? Android? 3) 1password's integration with the browser is very helpful: since I've been using a linux box as my day-to-day machine (where 1password doesn't have a native version), I've been using it significantly less, because it adds friction. On Mac OS, I would just auto-gen a horrific 12-16 character random password for any website, and have it automatically saved to my 1password.

As you might guess, I have high hopes for Mitro, especially if they (well, I guess it's now we) can create a compelling don't-use-their-host story (either hosted, or file-based (eg. dropbox)) and pass at least a cursory security smoke test. :-)

I'd love to find a way to securely share passwords with mobile devices. But from what I understand, there's no very secure way to do it on Android. If you store a private key on the device then other applications may have access to it. And with iOS, each app is its own silo, so I'm not sure how you'd get password autocomplete working. An ideal solution would allow selective sharing because there are some secrets you wouldn't want stored on your mobile device.

Applications are separated by Linux permissions on android. Attempting to read or write to other application directories simply won't work. Your fear is not correct for the average case user


It depends on how you do it. If you use the local app storage, it's protected via the OS. Only the App itself can read/write from it.

If you use "USB Storage" then the data is stored on the sd card or equivalent. Any other app with the USB Storage permission can read or write to that directory and it's very much not secured.

As for interfacing with other apps to "autocomplete" your password, there are permissions and ways to do that too, although I can't speak for them since I've never done it.

> And with iOS, each app is its own silo, so I'm not sure how you'd get password autocomplete working.

iOS8 makes it possible (thankfully!): http://blog.agilebits.com/2014/07/30/introducing-the-1passwo... - although I'm not sure how it'll work if you store your keychain on Dropbox.

You're absolutely right -- my setup comes with a lot of limitations. They are ones that I'm happy living with, but when family and friends ask for advice on passwords I point them to 1Password. Hopefully Mitro will become my new recommendation!

That is limitations I could live with, I'm interested to give it a go. Could you post the scripts on pastie/github by any chance to spare me some dev time? or my mail is in my profile

I'll use this as an opportunity to give a shout out for my own unix password manager that I started writing because I did not like some design choices of pass: pw [1].

From the homepage:

> pw is an alternative to pass, keepassx and other similar programs.

> The main points of pw are:

> * The passwords are stored using a simple line-based text format.

> * Passwords can be protected using public-key encryption or symmetric encryption. Or both.

> * No information about the accounts is stored in clear-text.

> * All the work is done using only GPG and Unix tools.

> * The output is easy to use in pipeline with other tools.

> * Follows the XDG Base Directory specification: no clutter in your home directory.

[1] https://github.com/gioele/pw

That looks neat -- I've been using a somewhat similar little home-baked thing of my own (simple shell script wrapping gpg), largely because I wanted a simple command-line password manager and this 'pass' thing I've been seeing linked in various places strikes me as (a) pretty poorly designed and (b) quite over-sold -- e.g. its author declaring it "standard" when it's clearly nothing of the sort is rather off-putting. There've been patches posted on the xmonad development mailing list recently adding support for it, but I'm really hoping they don't get integrated because I don't view encouraging increased use of it as a good thing.

What was your usage patterns with lastpass? For my use cases it works extremely well.

We're very excited to make this available to the community and welcome pull requests, bug reports, etc..

Pitch in on Github: https://github.com/mitro-co/mitro

Congratulations on the release guys.

Would you mind talking about your strengths and weaknesses compared to KeepassX?

For starters, maybe we should ask why Mitro is only using 128­bit AES (stated in their PDF design doc)?

AES-256 is not the most secure variant of AES any longer, as it appears that variant with key extension improves certain types of attacks. One of those, called a related key attack, requires only 2^119 time against AES-256, and 2^172 time against AES-192. (Time against AES-128 is approximately 2^128, I'd wager about 2^126-127).

This is a very particular kind of attack, however, and it doesn't necessarily mean other weaknesses will be exposed. Cryptographers, though, are a conservative sort by nature, and many feel more comfortable sticking with AES-128, which was part of the original Rijndael specification and what was designed most rigorously. AES-128 also seems to have had the fewest weaknesses developed against it. The fact that any attack succeeded in reducing AES-256 to below AES-128's security can give crypto folks pause.

I think realistically they are all very safe and AES-128 is unlikely to be broken by anything within the next decade. After that? I wouldn't wager.

Please see the answer by cryptographer Thomas Pornin on AES 128 vs 256: http://security.stackexchange.com/questions/14068/why-most-p...

Because it's the most secure.

I liked the idea of a free and open-source password manager. It seems that Mitro has been around for nearly a year.[1].

It does not seem anywhere near as mature as Lastpass though. There are no additional features such as a credit card or notes store. Also, it seems buggy since I was only able to login once through the Chrome extension.

I guess I will stick with Lastpass for now.

Main feature from Lastpass that I use and I would miss is Yubikey support (http://www.yubico.com/products/yubikey-hardware/yubikey/)

How do I get started if I want to build an Android app?

The Android app is in the mitro-core/android/MitroApp directory, and should build with the Eclipse ADT. See: https://github.com/mitro-co/mitro/tree/master/mitro-core/and...

I'm a 1password user, but I'll definitely be checking this out. Having recently switched to Windows, I'm liking it a lot less. To put it charitably, their Windows version is not quite as nice as the Mac and iOS releases.

It's a sunk cost at this point, but owning 1password on 3 platforms is expensive. $70 for my laptop and desktop, and another $18 for my phone. But I bought into it because the Mac version is great and I was primarily a Mac user at the time. Oh well.

If you stay within the Apple ecosystem, 1Password is great. If you stray outside of that bubble, not so great. Their Android app sucks (quit putting an icon in my system bar every time I open the app, for starters), and the Windows version isn't so hot, either.

Yeah, it's pricey, but in the end I think it's worth the aggravation and time it saves me.

I heard that you have to do this in order to not get killed when inactive.

That's the annoying part. I'm not privy to the internal workings, but I just need the app to fire up and stick something on the clipboard. After that, let the OS kill you off because I'll fire you back up again ad hoc.

The notification says it's synchronizing with my chosen cloud provider, maybe it doesn't want to get inadvertently killed during that process. Okay, fair enough. But can't the notification be removed after it's done? (An honest, if rhetorical question; don't know enough about Android to say for sure.) I have enough special snowflake apps sticking their crap in the notification bar, one less would be nice.

I work for AgileBits, the makers of 1Password.

You are not alone in requesting less clutter in the notification drawer. This is a popular request that we have received from a number of our customers.

We pride ourselves in considering all feedback from our customers and I'm happy to say that we've made improvements in this area. In our upcoming 4.1 update, successful sync notifications will be automatically cleared from the notification drawer.

We are planning to release the 4.1 update on August 19th. Feel free to read our blog post for additional details: http://blog.agilebits.com/2014/07/26/1password-4-for-android...

Yeah, I get the feeling they don't care about their Windows users at all. I just try to ignore the Windows desktop app because at least the Chrome extension is fine in Windows.

There's a v4 beta for Windows, which is very similar to the Mac version. Better than the stable v3.

I'm using it on Linux (under Wine) and works well. The Chrome extension is a lot better.

> There's a v4 beta for Windows, which is very similar to the Mac version. Better than the stable v3.

Agreed. The v4 Windows client is much, much better than the old v3 - and finally allows you to use the same Chrome extension. I previously had to run two versions of the extension (and all the frustration that brings) if I wanted to use 1Password on my Windows installs.

Check out dashlane : https://www.dashlane.com/ I've been using it for a while and Its much nicer that 1Password.

It has desktop app, a browser extension as well as android and iOS apps.

I tried dashlane when it first came out. Pegged my CPU and uninstalled it immediately. I assume it's improved since then, but that was a major turn-off.

Wait, you switched from Mac to Windows? How's that going?

Honestly, it's going great. I've been a Mac user pretty much forever (the first home computer I used was running System 7), but now I'm on a Surface Pro 3 with Windows 8. It's a fantastic computer. The last thing that made me think "Oh shit I'm living in the future" this much was my first iPod Touch.

I'd been dual-booting OS X / Windows on my desktop already because Apple's GPU drivers are garbage, so it wasn't a huge step. Dropping OS X completely was mostly based on being a game dev hobbyist who's doing a lot of 3D work and digital painting. OS X had turned into a web browsing and email platform for me, and I can do that just as well elsewhere.

The experience with 1password is far from unusual though; Windows doesn't have a lot of developers making software of any quality. For every Mac program I try to find a substitute for, Windows has 30 different options that are all equally bad (looking at you, IRC clients that aren't Colloquy). So if you rely on a lot of little 3rd party software, it's not a good ecosystem. But if all you need is Firefox, blender, Unreal Engine, and Substance Designer, it's not a problem.

And that's not even mentioning the price of a Mac with an upgradable GPU. I could do yearly GPU upgrades on my desktop and still be cheaper than a baseline Mac Pro.

This looks really great, sadly this is the type of product where being an early adopter makes me nervous, but after a few minutes of playing with it I'm impressed with the UI.

I love the functionality of LastPass, I really do, but man their UI is terrible. I trust them from a security front though and in the end that is what matters most to me.

If Mitro builds up that same rep then I'll switch over, but until then waiting it out. (sorry!)

The UI is indeed awesome. I'd love to see a little more development on the features (doesn't support wildcard domains, for example). But it's definitely a great starting point to work on.

Aw, your comment about the UI made my day. Wildcard domains didn't come up at all as a use case—interesting you bring it up. Since it's open source now, I'll upload the rest of the UI design that hasn't been implemented yet which supports a few other features. Anything else you'd like to see?

I'm with you on that - I'm an early adopter for many, many things, but security software is not one of them. I'm happy to play with it a little, but I'm not certainly going to migrate my passwords until it's show to be relatively reliable (and long-lived)!

Yeah, that's the thing. LP doesn't give any love to their design.

Aw, thanks for the UI love, nicpottier! I appreciate the support.

SpiderOak [1] released (or rather "endorsed") an "open source, 'Zero-Knowledge', cloud-based password manager" called Encryptr [2] as well.

[1] https://spideroak.com/ [2] https://github.com/devgeeks/Encryptr

Since the company has been acquired what are the plans for the service? http://labs.mitro.co/ says that "The service will continue to operate as-is for the foreseeable future." but there is a lot of ambiguity in 'forseeable.'

While I really appreciate the value of having the client and server code open sourced I don't want to run my own server nor do I want to sign up for a service that, with the changes that will likely happen after the acquisition, could disappear without a lot of warning.

Can anyone clear this up? from Mitro, EFF?

Congrats and thanks!

"Mitro has committed to funding continued operations of its servers until at least the end of 2014. If their code proves to be secure and popular with the community, we will be advising them on how to create a sustainable home for that infrastructure.". Erh. Yes, so I'll be staying on KeePass, strategically "cloud" backupped in encrypted form to my email address (also, yes, this does not solve Android integration..etc. so suggestions are welcome!)

I recently started using KeePass2Android [1] instead of KeePassDroid. It has some features I really like, like cloudstorage integration with Google Drive, Dropbox and more.

[1] https://play.google.com/store/apps/details?id=keepass2androi...

I really, really love KeePass2AndroidOffline. The app itself needs no permissions except the ability to read a file from the phone's local storage. Using OwnCloud's app and the "keep a file up to date" feature, I have my KeePass file synced to my various computers and my phone. Plus, KP2A has the "type this password for me" keyboard instead of relying on copy/paste. I didn't realize until I read the docs for another project, the clipboard is an API that can be hooked by other apps to see what's on the clipboard. It makes obvious sense but I never thought about it.

thanks - swear I didn't notice that my first time through

The best thing would be if they would release the server software. That way you could run the software yourself and be totally independent. If that happens, I'm totally on board. Now I'm still on the fence between this and LastPass

That was part of the announcement.

I'm in the same boat here... What will happen?

There's no method to reset Mitro, so if you're like me and Mitro ran into an error partway through importing your KeePass database, you won't be able to reset Mitro and try importing with a different method.

Do I seriously have to click manage->delete secret thousands of times just to reset Mitro?

Not really, nobody is forcing you to delete everything manually. You can always implement the feature yourself!

(Sorry, didn't meant to be that guy, but seriously don't know why people expect a clearly new piece of open source software to do everything they want.)

Apparently, it's just been open sourced but it's not a new project

Currently using KeePassX + Dropbox. What sort of benefits would I get from Mitro?

Currently, this is the best option. Though I recommend KeePass proper as opposed to X since KeePassX's last stable release was over 4 years ago and they've only pushed out alpha builds since then.

Unfortunately, if you want to run on Linux, KeePassX is the best choice. KeePass "proper" does work on Linux under Mono, but the UI is pretty buggy (textfields don't render the cursor in the right place, and the UI just looks awful in general). I really do wish there was a better native Linux client - some new features would be nice.

There are several good reasons to use KeePassX over Keepass, even with the current status of Alpha 6 in the KeePassX 2 series.

* KeePassX has a consistent UI across Windows, OS X, Linux * It's a small, portable binary. I've had good luck running the Windows and Linux binaries off of USD drives. * Alpha 5 and Alpha 6 have been really stable. I started using Alpha 5 and haven't had a need to look back.

I've been recommending KeePassX as the go-to password manager for Windows, OS X, and Linux over Keepass.

I use Keepass2 exclusively now(started using it this past year due to needing windows and cloud sync support) and have had no major issues across linux and windows. I guess YMMV, but it's been a great success for me.

Not keeping sensitive data in Dropbox.

Even if it's encrypted?

The KeePass database is strongly-encrypted before you put it up on Dropbox, so you're not relying on Dropbox's own encryption (I wouldn't either).

I refer you to the techdirt article linked above. If you upload a KeePass file to dropbox now, you may be vulnerable to a way of cracking keepass files available at some future date.

Yup; but I'd say you're letting the perfect be the enemy of the pretty damned good.

KeePass' encryption is quite solid -- if it starts to show some cracks in the face of quantum computers or whatnot somewhere in the future, I can always upgrade and change my passwords so the old database isn't valuable any more.

That'd be a PITA, but I don't expect this to happen -- nor for the govt to come up with a huge vulnerability that no one else sees -- so that's the kind of bet I'm comfortable taking.

This shouldn't matter here, if you regularly rotate passwords and KeePass itself is regularly updated to fix security vulnerabilities.

Is there a "secure" way to get a KeePass file onto an iPhone if Dropbox isn't safe?

I don't need realtime sync, I'm happy to manually copy it across when I make changes, just curious what the proper way to do it is, if not via Dropbox.

> Is there a "secure" way to get a KeePass file onto an iPhone if Dropbox isn't safe?

I have an android phone. I use a technology called a "USB Cable" to transfer files onto it.

Sadly that is also very insecure:

http://www.theregister.co.uk/2014/07/31/black_hat_hackers_dr... http://appleinsider.com/articles/14/08/01/badusb-malware-liv...

but at least it is safe against remote intercepts.

I'm in the same boat (KeePassX and Dropbox), but I have been thinking about a peer-to-peer sync option. I don't need it to sync on WAN, just LAN sync is probably good enough for me. If it syncs between my couple of laptops and my phone, that's good enough for me. I have to see if BitTorrent Sync helps me do this.

If I can host my own server, this sounds like a very promising solution.

That is absolutely the intention. Currently the docs are lacking, but we will try to add directions about running your own server in the next few days.

Will there be an option to use your own server in the chrome extension and android app? Or will I have to compile both with my custom server address?

The chrome extension already supports this via an option on a hidden preferences page: chrome-extension://EXTENSIONID/html/preferences.html

You should consider porting it to sandstorm.io - that would be perfect!

I'm no crypto or security expert, but this worries me:

   "For security, the online password databases are encrypted with client-side keys derived from your master password"
What is going on here? Does it hash my master password, generating a new pass? If so, this seems like it would only increase the number of bits in the possible keyspace but not increase the number of possible keys, while actually lowering security (since hash collisions can occur). This worries me because non-standard crypto applications tend to actually introduce holes and vulnerabilities. What other vulnerabilities lie hidden here?

I'm no expert but I see no harm here. In order to use symmetric encryption, you need a certain key size (e.g. 128-bit key for AES-128). How do you transform a password of, say, 15 characters to 128 bits? You guessed it, with a hash (well a key derivation function to slow down brute force). What they do is I think standard practice.

> but not increase the number of possible keys

So yes, if your password is weak, then it won't make it strong.

> while actually lowering security (since hash collisions can occur)

But I think you're wrong here. On a human password of 30 bits of entropy, there is very little chance of collision. If one collision was to happen, you'd still have a key space of (30^2) - 1, which is very much the same number.

My guess is they're using the standard approach for deriving an encryption key from a password: http://en.wikipedia.org/wiki/PBKDF2

Thanks for the clarification (and thanks to throwaway above as well), seems this is standard. Is there a salt in this implementation? Is it bruteforced the first time I open the database on a new device?

It says the encryption is done client-side so a salt would be public.

edit: they may be salting with the username or email address.

Hi. Looks very nice but why would I switch from LastPass? They don't know my passwords too. They also have multi-factor authentication. They also have add-ins for all browsers and mobile too.

Because it's open source, so it will be easier to audit, and probably because of the UI (Lastpass UI got a lot better in the latest releases, but still sucks).

How does this compare to letting Firefox remember my passwords and sync them via Firefox Sync?

I don't know much about Mitro but most Password software don't store your passwords as plaintext on your computer. They also don't make it easy to generate random password under certain criteria.

Personally, I'd trust Mozilla with at most my bookmarks/settings/tabs. Keep your security safer with people dedicated to just it. Doubt that's an endorsement for Mitro, though. At least for now.

This looks great. I'm a diehard 1Password user, and that probably won't change, but I love having open source options that have great features.

The blog post says Mitro is "joining" and "transitioning" to Twitter, but doesn't say that Twitter acquired them. How does that work for Mitro's investors?

Why would Mitro join Twitter’s location team to work on "geo-related projects" instead of identity and authentication projects like "Sign in with Twitter"?

"Soft landing" "acquihire"?

It looks great. UI is really nice to look at.

Looking around, this has a long way to go before it is able to compete feature wise with current commercial managers.

Also, it's going to take a long time, security-wise, to get up to par with the current commercials as well. It sounds like I'm being harsh but there are a lot of possible issues to consider. An HSTS header would be a nice start......

A warning: this still seems very buggy, it seems to not have an easy easy way to delete an account, and even deleting individual entries is not totally reliable (deleted entries seem to stay in the list).

So unless you want to spend a lot of time repeatedly trying to delete duplicates (created by failed imports) and/or every single entry, stay away, for now.

It would be nice since I don't have to remember any passwords anymore, if Mitro would generate password strings for me.

Just use KeePassX.

Cost is zero, available on all platforms that you care about, and it's a stable format. What more do you want?

Cleartext cloud storage is a no-no. Browser integration from my POV is really dangerous as well... trying to keep secrets using the most widely attacked platform out there sounds like an exercise in futility.

As computer people we should move away from teaching people that a strong password is one that is made up of random numbers, letters, symbols, and is hard to remember. Instead, let's teach them to create much longer passwords that are nonsensical sentences.

*You can't beat the carrot!


Passwords? They're for Sundays.

> let's teach them to create much longer passwords that are nonsensical sentences.

Doesn't matter; nobody is going to remember fifty different ones. I have more website logins that that. Password reuse is going to happen and it is bad.

The only secure way is for each password to be made up of a unique long, generated string of "random numbers, letters, symbols" for maximum entropy and stored in a password manager. The user just has to remember the password manager's master password (and maybe a desktop PC login). Now these remaining memorised passwords can be long nonsensical sentences if need be.

I did a really poor job of explaining myself. Really poor.

I meant the master password. Mitro's password strength meter uses guidelines which are becoming (are?) old. So let's just move away from that altogether (for passwords that people should remember) and doing something that makes it easy to use lots of characters.

FNB South Africa is a bank that has horribly complex rules for passwords - no repeated letters, no sequential letters, in addition to the normal password strength requirements.

Given the complexity, many people I know just save their passwords in plain-text.

I've been looking for open-source alternatives to LastPass. I'll give this a whirl -- thanks!

I would suggest Password Gorilla if you don't want your passwords stored in the cloud.

It would be cool if they developed this using something like RemoteStorage so you don't have to tie yourself to their server backend, which they say they're only committed to keeping around until the end of the year.

I imported my LastPass vault into Mitro, but can't get it to auto-fill pages I have stored data for. I have to search for the page and then click "sign in"..

Am I wrong in expecting it to work exactly like Lastpass did?

Strange, if the URL is shown in the 'details' view, the dropdown should show up. If not, please email inbound@mitro.co.

I received this by email shortly after installing Mitro:

"Congratulations on adding your first secret to Mitro"

This makes me a little uncomfortable. How do they know? Why should they know?

Edit: I could not find those words in the github repo.

Secrets are stored on Mitro's servers. Presumably -- hopefully -- the passwords themselves are encrypted. Edit: Ah, yes:

    Mitro is distinctive amongst free/open source password managers
    in that it's architected around cloud storage. For security,
    the online password databases are encrypted with client-side
    keys derived from your master password. For availability, they
    are mirrored across three cloud storage providers. With this
    design ... passwords can be synchronized across all of your
    computers and devices with minimal effort.

This I understand very well.

So presumably they sent the email only after I sent them the first "blob of gibberish" telling them I added _at least_ one entry to my password database.

Presumably they don't know if and when or how may entries I have. In this case they only noticed the first time I sent in my encrypted database.

Secrets are stored as described in the design document; the server knows how many secrets there are, but nothing about them: https://github.com/mitro-co/mitro/blob/master/PasswordManage...

Where one could find a specification of the protocol used by Mitro?

The design doc describes the architecture: https://github.com/mitro-co/mitro/blob/master/PasswordManage...

We unfortunately don't have a great description of the protocol. The closest you can get is to look at the RPC proto spec: https://github.com/mitro-co/mitro/blob/master/mitro-core/jav...

Does the Firefox add-on not work, or is it just me? (It seems like it's trying to load the full-size desktop page in the little drop-down window. Firefox 31 on Win7.)

It seems great, but... if the mitro.co server goes down? I misunderstood or is not possible to copy passwords on your computer?

How does the sharing access work? Does it sign in with the password locally and share the resulting cookies to the recipient?

I wonder if they have any plans for a phone app.

iOS and Android apps are available on the respective app stores now. Note that the Android app might be vulnerable to clipboard hijacking, as described in http://fc13.ifca.ai/proc/4-2.pdf

Really surprised none mentioned firefox sync?

The secret sharing across teams works which is good (LastPass's organization features are broken), but saving secrets is very slow right now.

How are LastPass' organization features broken? Over 7,500 companies are using them successfully.


I'm sure a lot do, but when we tried to set it up this past Wednesday, we couldn't get it to actually share credentials. Perhaps we were using it wrong, but if we couldn't get it to just work in an hour, there's a fundamental problem with the product.

We use LastPass internally, specifically to share long random passwords among the people that need them.

It's not been a flawless experience, but it works -- what are the problems you've seen?

We were unable to get LastPass to actually share passwords at all. Created a shared folder with some passwords, checked to see if a coworker could see it, and sometimes they could see it, but most of the times the folder wouldn't show up at all. Spent at least an hour just debugging why this was happening, but we kept getting totally inconsistent results.

I say this as a mostly satisfied LastPass (Personal) user.

Ah, right -- we've got some odd behavior there as well; newly-shared folders not showing up in particular.

I suspect there are bugs in how the (locally-cached) LastPass vault stays up to date, possibly coupled with a delay on the server side for updates to be propagated to all vaults.

Just from my experience working with encryption... I'll bet the sharing process is fiddly, and they have some unresolved flow problems. E.g., imagine a new folder share offer is encrypted and queued for the recipient's vault, and can't be merged in until the recipient next signs in... but depending on their browser plugin settings, they may only sign in once every few weeks. So the plugin pings for queued updates and can send up auth keys... but already we're getting into enough complexity that bugs would be likely.

(I don't actually know how their folder sharing functions, but deploying encryption where the server only occasionally has the keys can quickly make simple requirements turn into Rube Goldburg contraptions...).

In our case, the shared folders eventually showed up for everyone (we specifically tried signing out of LastPass and restarting browsers... though I don't think we quite nailed down an "always works" solution), and once the basic shared folders were set up, it was smoother sailing.

The server are probably getting hammered.

Is it similar to Lastpass?

Storing my passwords in the cloud means it's already got one mark against it. What does it do to make make for that?

Presumably encrypting them with a password you control?

It's still an avoidable risk. And one that can be applied retroactively.


No information or demo on the webpage = Worthless.

Presumably the code is released first, then the documentation is created. It sounds like the product wasn't initially developed with the idea that it would be released to others. That doesn't make it worthless. If Twitter spent the time + money to acquire them and open-source their product, I would assume that they have a vested interest in doing more than just dumping the code on Github and ignoring it.

"Good security practices require us to use different passwords for most or all of the websites .... remembering all of your passwords requires an inhuman display of memory."

It actually is possible to create unique passwords for every website and remember them without inhuman displays of memory. To do so, there are two basic things you need to remember:

1) A unique base password 2) A simple hashing function

The input to the hashing function can be the company's name or website address (an overly simplified example - your hashing function could be the first two characters of the website's domain name). A unique password for any website could then be:

password = hash_function(domain) + base_password

A very simple way to create unique passwords for every website, inhuman memorization skills not required.

I used this form for a while but realized that if someone is doing a targeted attack specifically on you and happens to find a single compromised password of yours, all the others are only a few guesses away. It's better than re-using passwords, but still worse than using truly unique ones.

If you're being specifically targeted, the key is accessing your email.

Except if your password gets compromised on two sites than hackers could identify the pattern and compromise every account you have.

Yes, but that is also the case if your password manager's password gets compromised.

that's a very very different scenario. your password manager's password is not sent over the wire, and you know it to have very secure hashing. it is stored only on your hardware

not so with external websites — if you use the proposed strategy on two websites with poor security (something which is completely opaque to you), your passwords are compromised.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact