ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Mitro: FOSS alternative to LastPass


With the assistance of the EFF, Mitro will hopefully soon be making the transition to a FOSS model.

Although I'm still very uncomfortable with the entire concept behind remote mirrored storage of passwords, if I absolutely did need to do it, Mitro would probably be the one I'd be least reluctantly inclined to use. And that's probably as close as I'll ever get to semi-trusting this sort of product. But that's me. YMMV 8)

This from the EFF:

July 31, 2014 | By Peter Eckersley
Mitro Releases a New Free & Open Source Password Manager

Good security practices require us to use different passwords for most or all of the websites and services we interact with. For accounts of any significance, those also need to be strong passwords of one form or another. But if you combine those two requirements (one password per site, most or all passwords are strong) then remembering all of your passwords requires an inhuman display of memory. Of course, when we need to perform inhuman tasks, we use software. And in this case, we use password stores and generators of various sorts. There are a lot of options for password managers out there, but if like us you prefer all of your security-sensitive code to be free, auditable software, then the choices are more limited.

Today, the team from a password manager startup called Mitro will be joining Twitter. As part of the deal, Mitro will be releasing the source to its client and server code under the GPL. We're very pleased to see this happening, and will be advising the Mitro team on how best to turn their startup's code into a sustainable free/open source software project.

Mitro is distinctive amongst free/open source password managers in that it's architected around cloud storage. For security, the online password databases are encrypted with client-side keys derived from your master password. For availability, they are mirrored across three cloud storage providers. With this design (documented here), passwords can be synchronized across all of your computers and devices with minimal effort. They can also be shared across teams and organizations. For those reasons, we're excited about the possibility that Mitro may turn into a valuable piece of infrastructure for the community.

Mitro has committed to funding continued operations of its servers until at least the end of 2014. If their code proves to be secure and popular with the community, we will be advising them on how to create a sustainable home for that infrastructure.

Mitro is already quite a mature and usable system. You can try it today and if you like it, tell your friends.1
Hacking on Mitro

Mitro will succeed if it has an enthusiastic userbase and developer community. Aside from trying out the software, there are lots of things you can do to contribute:

Report any problems — there is a new bug tracker on github, so if you run into a bug or a web site that doesn’t work reliably, please let them know. You can also always tweet @MitroCo.

Review the code, fix bugs — Mitro is free and open source; if you know Javascript or Java, you can improve it. Mitro has had some professional security auditing in the past, but if you're a security researcher, extra eyes looking for and reporting vulnerabilities are valuable.

Contribute documentation — Mitro has some limited documentation on Github. The Mitro team would welcome any contributions to help others use it effectively.

Update, 2014-07-31: revised post to link to Mitro's announcement, and clarify that while the Mitro team is joining Twitter, Mitro itself will continue as an independent corporation.

    1. For the time being, we don't recommend using the Android variant of Mitro; the Android app is likely to be vulnerable to password theft by malicious apps because of security problems that follow inherently from its use of the Android clipboard. We are presently researching ways to work around this problem.

--- End quote ---

You can find Mitro info and downloads here.

Paul Keith:
Excellent timing. The Lastpass website is down currently.

Link to the github repo:

I spotted this on the Zoho blog in my feed-reader and thought some DCers might find it of interest.
It looks like it could be a piece of smart marketing with a genuinely helpful offer to about-to-be-orphaned  Mitro users:
Mitro is Shutting Down: Switch to Zoho Vault For Free in a Single Click | Zoho Blogs

Some of the copy in that article smacked of condescension, IMO.

Mitro, the open source password manager for individuals and teams, is shutting down on Aug 31, 2015. If you are a Mitro user, you might feel sorry to see it go. But you do not have a choice to keep it alive. Mitro is gone and it is time for you to move on.

--- End quote ---

I never invested in Mitro, but just from reading that tweaked me the wrong way.  I can imagine how much more if I was actually affected.   :huh:  Add to that the fact that you can still run your own instance, and it seems more self-interest rather than community interest.


[0] Message Index

Go to full version