Password Security

We had two hard requirements we wanted to meet for Mimiri Notes:

It must be possible to access Mimiri Notes using only something you can keep in your head
It must be secure enough that storing your whole life in Mimiri Notes is a sane choice

TL;DR - What You Need to Know

Use Mimiri’s built-in password generator (8 characters, letters + numbers)
Write your password down on paper and keep it somewhere safe
CRITICAL: We cannot help you recover a lost password - losing it means losing all your data
For most people, this level of security is more than adequate

If you want to know more about the security choices made in Mimiri Notes and why they were made, one of our founders wrote an extensive blog post about it on his personal blog

Why This Approach Works

We settled on a cost of 1 million USD to crack a password in less than 1 year with current technology as a benchmark.

This, we figure, means that unless a state actor or another large organization has a specific and strong interest in getting at your data in particular there is no practical way it will happen.

Realistically, even a cost of $100 would likely be more than adequate for 99% of people. If you are not of the 99% - you already know - conduct yourself accordingly.

How We Achieve This

Mimiri Notes employs key stretching¹, a standard cryptographic practice that, very simply put, makes it possible to decide how much effort is required to crack a password. The flip side of that is that the effort required to log in is equally increased.

This tradeoff is favorable because you only need to test one password one time each time you want to log in whereas an attacker will need to try an extremely large number of passwords in order to guess your specific password.

This tradeoff only takes you so far; it isn’t possible to make 1234 a viable password using this mechanism. The effort would have to be raised so much that logging in would be equally impossible in this case.

However, the tradeoff takes us far enough to make it viable to bring the length and complexity of the password down to something a human being can actually remember.

Password Recommendations

This is not general-purpose password advice. Most other places do not employ key stretching.

We recommend a randomly generated password of 8 characters chosen from lowercase letters, uppercase letters, and numbers. This equates to the 1 million USD target described above².

If you want a bit more security we find that throwing in a single special character does not substantially affect the difficulty of remembering a password while it does meaningfully increase the difficulty of cracking it³.

Mimiri Notes contains a tool that will generate such a password for you. The tool is entirely local on your device and does not share the password with us or anyone else. It uses a cryptographic-grade random algorithm to generate the password.

If you choose to hand-craft a password instead, be aware that even if you simply hammer the keyboard randomly, you are extremely unlikely to generate a more secure password. It may be secure enough, but short of actually cracking it, it is very hard to provide any real estimation of difficulty.

Writing the password down on a piece of paper with a pen (don’t use a printer⁴) and keeping that in a safe place is a good idea for most people - if that isn’t true for you, you know.

Also, don’t forget that we cannot help you recover your password. Building that capability into Mimiri Notes would effectively give us access to your data, and that would defeat the whole point of Mimiri Notes.

Password Security in Notes

Beyond account passwords, Mimiri Notes helps you store other passwords securely within your notes:

Next Steps

Create your account with a secure password
Learn about our security architecture'

¹ Specifically PBKDF2-SHA512 using 1,000,000 iterations and a unique salt for each user

² The calculation is based on an approximate cost of $2,000 for an RTX 4090, and the number of such cards that would be required to run constantly doing nothing else for 1 year to exhaustively search for a password in a known space. Electricity costs, cost of additional needed hardware, and man-hours needed are not factored in. 1 million USD equates to 500 RTX 4090s.

³ This is not as effective as generating from a pool that allows the use of any number of special characters. Calculating the exact effect is hard, but it will significantly increase the difficulty of cracking the password.

⁴ Some printers keep a history of printed documents