Marco De Nadai bio photo

Marco De Nadai

Data Scientist and Ph.D. student at University of Trento, Italy.

Stop remembering passwords

Tue 02 September 2014

Everyday we hear about hackers stealing password and accounts. Just one week ago 1.2 billion passwords were stolen, and The Fappening hacker shown the content of the phone of Jennifer Lawrence, Selena Gomez and many others. Nevertheless we continue to somehow trust the passwords, which are insecure, we often forget them and, finally, we complain when someone hacks our E-mail or Facebook account. Ask yourself:

  • What can happen and how much time will your waste with a stolen Facebook account?
  • Are you using the same password everywhere? If so, do you know how dangerous is it?

In this article I will present one of the most secure methods to overcame the old password fashion.

Video: The Fappening - Reddit reacting to Jennifer Lawrence nudes

Why is the same password method so insecure

Reusing passwords for email, banking, and social media accounts can lead to identity theft. Imagine an attacker who steals your Twitter account password. What happens if it is different from all the others? Now Imagine the contrary.

(Extra: is your password secure?. This method only checks the length of the password, comparing it with a normal PC attack. It is simplistic.)

What's the solution

My solution is to use Mitro, a project that allows you to generate, store and use different passwords in the websites you normally use. Let me explain better: let's say you want to create a Facebook account. In this case you go to the registration page and Mitro will generate for you a password, which is very difficult and random. This password will be stored in Mitro and the next time you login in Facebook, it will fill the login form for you. You don't even need to know your own password!! Mitro will also generate for you a truly random password, which is not dependent on any personal information or existing word.

Mitro screenshot

I never trusted password managers: what if someone hacks or find the list of my passwords? It's a single point of failure, right? With Mitro this is theoretically not possible. As their Security FAQ says: "Mitro is designed so that only you, and the people you share with, have access to your secrets. Your passwords never leave your computer without being encrypted, so no one, not even Mitro, has access to them". Great!!

From the moment I gave a try to Mitro, I deleted all the cookies and changed all the passwords of the website I normally use. Mitro saved me!

Let's try!! First of all I will change the password of Facebook, just to show you how the system works. I generate the password with Mitro and I copy-paste it in the Facebook form. It's a strong password!

Facebook change password Mitro password generator Facebook change password2

At this point I login. In my case I had a different password saved in Mitro, so I will memorize the new one.

Facebook login

Now, when you need to login again in the website, Mitro will take care of the rest

Mitro Facebook login

So you will not care about remembering passwords anymore and your internet life will gain a new type of security. You don't trust me? Try it with one website! Try to change a password and use Mitro from that moment, please! After this, share your thoughts with me please. I'm curious/interested :)

Mitro was recently bought by Twitter. The extensions are for Chrome, Safari and Firefox. There is also an iOS app.

Why Mitro and not the others?

There are many other similar solutions, like LastPass, so why did I choose Mitro? Especially after the NSA revelations, I seriously reconsidered Open Source in the security field. Open source allows people to read the code, understand if a company uses your informations in a different way but it also helps with getting more eyes on the code. The recent Hearthbleed bug proved it: a super small modification in the code allowed a serious security bug which affected the 90% of the websites in Internet, including Facebook. If OpenSSL wasn't Open Source the Heartbleed bug would probably had never been discovered.

Mitro is Open Source: everyone can review/contribute the code in this github project. I personally do it.

Mitro even allows you to run your own server, if you don't trust the Mitro servers!

Is it the future?

Yes and no. Mitro attacks the problem on the "password side": it allows you to use the websites in the old way, storing your passwords and increasing the security. The future will probably be about using different types of access methods, like OAuth, Mozilla Persona or considering obsolte the passwords. All these methods depends on the websites we use, so we can't do anything but wait.

We just need to wait, using Mitro meanwhile.

Please, give it a try and share your thoughts :)

Comments

comments powered by Disqus