I've used Mitro ever since I heard about it. It's been really fantastic to use, and the team did an incredible job creating it. It has everything I look for in a password manager, even without any updates or changes since it's been open sourced.
On a different note, even though I'd pay to use it, after following the Google Group pretty closely, it seems like Mitro has been unable to foster any sort of development community in the short time the project has been open source. I would have loved to help, but mitro-core is written in Java[0], a language I have little experience with (I don't count my Data Structures class in college).
I'm curious if the demise of Mitro could be a useful case study of how not to open source a big codebase. It seems that they're shutting it down primarily because of lack of development interest, including lack of interest from the original creators. It could be naturally assumed that they were "expecting" a community to form around Mitro, and embrace the open sourceness of it, but that obviously didn't happen. I wonder if the founders would have done something different with the way they open sourced Mitro, given what has transpired.
Open source Firefox took a long time to get anywhere, from Jan 1998 to Sept 2002 for initial release; as Jamie Zawinski when he checked out in March 1999 (http://www.jwz.org/gruntle/nomo.html):
Open source does work, but it is most definitely not a panacea. If there's a cautionary tale here, it is that you can't take a dying project, sprinkle it with the magic pixie dust of ``open source,'' and have everything magically work out.
Open sourcing things is hard, and yes we did the classic mistake of "throwing it over the wall" and not being able to give it the time and attention it would need to be successful. We guessed that would likely be the outcome, but we were willing to try any possibility for Mitro to continue.
Such a shame to see it go. A fantastic password manager to use. Amazingly slick interface, cross-platform support, intuitive UI. We would have happily paid for it (we can't afford $200/month, but maybe $20 or $40 - we're a small team of 5 people using it).
Big thanks to the Mitro team for keeping it alive until now. I'm still hopeful that this imminent closure will prompt someone to pick up the open-source project and keep it alive for longer (but understand that it's not an easy task).
If the average developer's time is worth $60 an hour, then it would only have to save 4 - 8 minutes per month for it to be worth it, or 10 seconds a day.
At SeatGeek, we use Lastpass. I don't personally know what it costs - yes, I'm a lazy operations person - but it seems like it might be $24 per person at our size[1].
I personally use 1Password and if it had group password sharing, I would be lobbying to switch every day of the fucking week. The lastpass interface is confusing, slow, and ugly (I've beens spoiled by the spit and polish we've built). $8 per person compared to what we may be paying now seems very small, so it's probably not unreasonable (to be fair, enterprise pricing is hella weird).
I think it's $24/user/year actually, but we'd be happy to pay more, because Mitro offers a superior solution for us. I hate the Lastpass UI and the sharing options aren't nearly as refined. 1Password doesn't work on Linux, and requires installing a local app as far as I remember.
I've also used Mitro ever since I first saw it, and I'm really sad to see it go (had plans to implement the server in python, but at the risk of overseing a security flaw I opted not to)
Lately I've been looking at pass[0], do any of you have experience running this (with git)?
yes. you can do this failry easy. There are ansible playbooks and some readmes. There is some mailservice baked in, which you might have to change.
The only 'harder' part is (the last time I tried): You have to build the browser extensions you want to use, and override the path to the mitro server to point to your server. The config file is all centralized. So you change it once and can build all extensions at once. I did not find an options to customize the mitro server via the extension itself. (this is probably a good thing).
To get your customized extensions to your users, you might have to create an extra download site or fix the links in the mitro webpage.
that makes me wonder if it would not be an interesting idea to have a plugin that points to a known proxy and you register your host with it. then the operations cost is low, a single plugin can be released, and you control the server and data. just a random thought (typing on mobile with no spelling check, please excuse typos).
A password manager really needs to be a high-availability service -- it should work even (especially) when AWS is down. Since our service (intentionally) does not cache secret data on the client, running a proxy is not substantially easier than running our service. Plus we'd have to write this proxy :)
This was a fantastic program and it saddens me greatly to see it go. I hope that someone will pick it up again, or perhaps find a way for the rest of us to run our own servers, since switching to another password manager that doesn't do as good of a job (at least not for free) is going to be quite the inconvenience.
I assume at $200/month it somehow becomes worth it to keep going as someone's side project? I can't imagine twitter would keep it around for that little revenue (unless the acquihire from last year was simply just a hire, without buying the legal mitro entity)
it seems to be the case. According to [0] Twitter just hired the devs without the legal entity behind Mitro, and seems like with no intention of supporting the project going forward.
There are some companies using it. It is possible that on-boarding a new person RIGHT NOW while they figure out their long-term solution is helpful. Small possibility, but I want to make this transition as easy as possible.
Yeah, our largest costs are:
- a primary server running on AWS
- a read-only replica running on google compute engine.
Other smaller costs include networking, DNS, and various tax/administrative/regulatory fees
Sorry for the delay. The monthly costs (which are actually closer ~$800-1000/month), are a small part. A bigger worry is if we take money from people, we really have some obligation to provide "reasonable" service. We've had relatively few system-administration incidents so far, but I'm concerned about something happening when we are on vacation or busy with other things.
Worst case scenario is Chrome changing how extensions work, which requires us to actually write code, or someone finding a serious security vulnerability.
As a conclusion: It really would take more like a total of $3000/month in fees to make it worth someone's time to deal with the paperwork, the administration, and to be willing to be on call. It seems unlikely we'll get there, but I'm investigating the possibility.
On a different note, even though I'd pay to use it, after following the Google Group pretty closely, it seems like Mitro has been unable to foster any sort of development community in the short time the project has been open source. I would have loved to help, but mitro-core is written in Java[0], a language I have little experience with (I don't count my Data Structures class in college).
I'm curious if the demise of Mitro could be a useful case study of how not to open source a big codebase. It seems that they're shutting it down primarily because of lack of development interest, including lack of interest from the original creators. It could be naturally assumed that they were "expecting" a community to form around Mitro, and embrace the open sourceness of it, but that obviously didn't happen. I wonder if the founders would have done something different with the way they open sourced Mitro, given what has transpired.
[0] https://github.com/mitro-co/mitro/tree/master/mitro-core