I’ve been a long-time nay sayer to any sort of online password manager, citing mainly reasons of security, and I took upon myself to maintain a Google Docs spreadsheet with all my >=12 character passwords. Believe me, remembering random strings of ASCII is not an option. I’ve now discovered Mitto and consequently changed my tune on the issue. Let’s see what Mitto can do to improve your online experience.
So what changed my mind? I wanted to start the new year with a clean cyberspace, so I went through online accounts, emails, folders, Twitter and even my WordPress installation. Then I realised that my spreadsheet was in disarray: old passwords, usernames missing, multiple entries for the same service. The sheer number of passwords made managing that spreadsheet too much work, and after all, I didn’t have missile launch codes to protect. I could live with a little bit of uncertainty – after all, it’s the giant cheesecake fallacy. Even if they could access my passwords, why would they?
Mitto is a web based service to help you manage your passwords by enabling you to use high-strength passwords for your online accounts without having to remember the actual string. Once inputted to its database, you can log into any of your websites with one click. Think of it like AutoComplete for your passwords, but with strong encryption, good security policy, and organisation tools. Don’t worry, the adding process is straightforward and it won’t take you more than 30 seconds for each service. They even provide a bookmarklet that let’s you add services directly from the login page – with one click.
Now that you don’t have to remember complex passwords, you can use something like the GRC password generator and update all your passwords with stronger ones. Another feature is the tagging capability – especially for those with a very large number of logins. Two email accounts from the same provider? Simply tag one with “work” and never get them mixed up again. But most importantly, there’s nothing to install on your computer to manage your passwords – you can visit and use Mitto from any browser on any platform you’d like.
For starters, Mitto uses 128-bit SSL certificates to encrypt the connection between you and their server. They also claim to employ physical security by protecting servers in the datacenter, which has been audited (SAS 70 Type II). Servers are stored in locked and and inventoried racks, and access to the facility can only be made through secure gates. At the application level, passwords are encrypted with 1024-bit RSA or 256-bit AES, which is good by today’s standards. They are certified by TRUSTe and McAfee as secure for known XSS (Cross-site Scripting), XSRF (Cross-site Request Forgery), SQL Injection, Session Fixation & Hijacking. More details about the security measures is available on the Mitto website.
The sign-up form gets good points for asking a security phrase, which all genuine messages from Mitto will contain as a security precaution. Unfortunately, the questions for resetting the password are the standard set, and information like your first car or job can be easily found. If an attacker correctly guesses the answers, the only thing stopping him is access to your email account, so make sure that is protected.
Mitto is very flexible, easy to use, and most important, it’s completely free. You can sign up by visiting Mitto.com. To end this article on a rather classy note, here’s a quote I remembered: “On the day when we can fully trust each other, there will be peace on Earth.” Do you guys know who said it?