Mitro. Another Password Manager

Discussion in 'privacy technology' started by dogbite, Sep 10, 2013.

  1. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    FYI, another alternative to Lastpass.

    While I am currently not going to use any cloud based password service any longer (at least until the NSA affair will somehow clearer..) it's interesting to see their technology, which seems pretty standard.

    https://www.mitro.co/security-faq.html
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Seems Chrome-only, does it have a web interface?
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    i installed Comodo Dragon to give Mitro a try, at least for some not high-sensitive passwords.

    Some first impressions:

    1. Work pretty flawless
    2. More basic than Lastpass, much less notifications
    3. Lack of customization, for example it's not possible to set the PDFK2 iterations, being set by default.
    4. Two factor auth. not tested so far.
    5. I think it does not have any web interface, all is just in the browser.
    6. Not tested Team Password sharing service.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Update:

    Mitro does not have any Password Generation function, thus when I want to add a new site I have to generate a psw with Keepass and then store it in Mitro.
    Not very comfy indeed.
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Carrying on testing.
    Some issues around (Mitro fails to ask to save passwords in some websites), but support is really quick to answer.
    The more I use it, the more I like it. Also they told me that a new version is under development with some new features.
    Two factor authentication set up and works fine. Also it generates some backup codes, to be able to login even if without phone.
     
  6. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    perhaps i shouldnt say this but after some people have started to realize what the government has been doing for decades just recently , one word , backups and off cloud storing of password databases is a must, i suggest to take a look at keepass , works perfect over here ;)
     
  7. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    happy with lastpass, auto logging into a forum is just a life saver especially if you have set security/privacy addons onto your browser.

    If you are worried about usernames/passwords being NSAed or other adversaries then perhaps not to save any info from any strange websites !
     
  8. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    sure why not ...NO! , use a proper offline password manager such as keepass and be done with it , end of discussion , if you want online availability use in conjunction with tc encrypted container in dropbox etc. , tootaloo
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    well in a tc container ..it is , or if youre up to it as youve already said your own server , and last but not least sure use whatever you want im just stating opinions thats all , enjoy your lastpass , lols
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I'm not intimately familiar with Dropbox or LastPass, but I think I have a relevant comment. Applicable to this topic even.

    In the "using a known cloud password manager site with strong connection security" scenario, intermediary snoops can/will discover that you are (repetitively) accessing a particular cloud password manager site. From that they can/will learn you are using a cloud password manager, which one, and (assuming its algorithm is fixed/published) what encryption/decryption algorithm is in use. The cloud password manager company also knows that information. Someone that gains unauthorized access to the files on their server should know that as well.

    In the "uploading privately encrypted password database files to generic cloud storage with strong connection security" scenario, intermediary snoops can/will discover you are accessing generic cloud storage but they won't know what it is that you are accessing. The generic cloud storage provider, also, shouldn't know what it is that you are accessing. Filenames *should* be encrypted too, and users *should* use obscure filenames and extensions for their (encrypted) password database. Even if the user were foolish and named their file 'MyPasswordDatabase' and the generic cloud storage provider could see it, the provider *should* have to guess or do some work to figure out what tool was used, what the encryption/decryption algorithm is, etc. Those last two items would also apply to anyone that gains unauthorized access to the files on the server.

    Exposing as little information as possible, to strangers, about your method of managing/encrypting passwords is wise.

    Which makes this an even better approach than the two mentioned above. Especially if it is not an Internet accessible server.
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    How will they identify your account if they cannot find what you uploaded? Either way, exposing your data to a third-party eliminates the worthwhile benefits of using a "proper" password manager.
     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    New release out, including password generator.
    Very stable.
     
  14. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    https://www.mitro.co/security-faq.html
     
    Last edited by a moderator: Feb 6, 2014
  15. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Will check it on my new machine, nice that they made it open source. :)

    I guess it´s all about the money that they decided to switch to Twitter.
     
  17. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    So, is anyone using this? What's missing and what's great? There's not much info on the web about it. I might need test it out later.
     
Loading...