to Store Passwords
How does this work?
Rosa is a password manager reinvented as a chat bot. You interact with Rosa entirely through SMS text messages on your phone. When you create a new password with any website, text Rosa that you want to store the password. We'll text you back a link to quickly and securely store the password. Later you can text Rosa to get the password, and we'll text you back a link to view it securely. Rosa interacts with you entirely through SMS text messages on your phone, which is how we know we're always communicating directly with you. Rosa does not ever know or store your name, username, or email address. There is no software to install and there is no need to create a user login with Rosa.
Do: Use words you can easily type, like:
(I can already hear your objection, keep reading!)
Don't: Use random characters that are very hard to type:
Remember that you can only retrieve your passwords via text message, so you can only view them on your phone. If you need to type in a password on your desktop computer, you won't be able to copy/paste, so you'll be viewing the password on your phone and typing it into your computer, so use words or phrases you can easily type rather than random characters. Don't add numbers, upper case letters, and special characters here (keep reading!).
Do: Have a common string of special characters you will add to the end of every password (but don't tell us).
15AZ!$ (this common part is private)
15AZ!$ is the common password you memorize and add to the end of all of your passwords but don't tell us. So your password to Amazon might be sublimecrocodile15AZ!$ and your password to Walmart might be eastereggs15AZ!$. You store just sublimecrocodile and eastereggs with us. The common portion you memorize should also cover the numbers, upper case letters and special character requirements that most sites have.
Choose your common password carefully! For this system to work this is not something you can frequently change.
Our Philosophy on Security
Good security that’s easy enough to actually use is better than great security that is too cumbersome to use. If having the best security is too inconvenient, you won’t use it, rendering it useless.
If your password habits are less than ideal (you know if this is true about yourself), we’re here to present a solution where you can dramatically improve your level of security in a simple way that we think you’ll find easy enough to actually use.
What security features are protecting my passwords?
We don't ask for your name, username, or email address. Your phone number is your only identity in our system, which we pseudo anonymise by creating a salted SHA-256 bit hash of your phone number and use the resulting token throughout the rest of our system in place of your phone number, where we store any data including your passwords. For example, +1-212-555-1212 becomes something like: UT37zdf322iuoVdkl@iR^GDSv4fgu93rsof3wdBJyJM.
Your passwords are encrypted with AES-256 bit encryption. All data is encrypted both in transit and at rest end to end in all parts of our system.
Store as many passwords as you want free forever
There is never any cost to store as many passwords as you like, we'll keep them stored securely forever, or as long as you'd like us to (you can delete your entire account at any time to permanently remove all your data).
Your first 100 password retrievals are free
After that, to continue using Rosa pay just $2 per month (billed $24 annually) for an unlimited use plan.
No credit card required to start
Use our system entirely free without providing any payment information for the first 100 password retrievals. We’ll text you about payment options before your free usage is up.
Why don't I have to log in to use Rosa?
Your passwords are never displayed on the screen, the only way to extract them is by text message to your mobile phone. Likewise, to store a password you will have to confirm by text message to your phone that you originated the request. This serves as a form of authentication instead of requiring yet one more password you're just going to forget.
Are SMS text messages secure?
The reality is we are already depending on SMS text messages as a means of authentication to secure our most important accounts. If you use Google's Gmail for example, and supply your mobile phone as a backup means of entering your account, then a SMS text message alone will allow you to gain full access of your email account, and with access to your email account, you then have access to nearly all other of your accounts. Also consider that email isn't more secure than SMS text messages, and we rely on a link being sent in email to reset your password to any other account you are already using.
That said, there are vulnerabilities in the Signalling System No. 7 (SS7 network), which SMS relies on, which can potentially allow messges to be illegally viewed in transit by sophisticated hackers. This is what they're referring to in the movies when they say "we're not on a secure line". Because of this we advise that you remember a common password and combine that with all passwords you store with us (read more).
Are you going to bother me with unwanted text messages?
No, Rosa will only respond to your requests, not spam you out of the blue.
If someone else gains access to my phone, doesn't that mean they can gain access to my passwords?
If you're following our recommendation to use a common password, even if someone were to gain access to your phone, they would not know your complete password. You may also be using things like your browser’s ability to remember your passwords. If you step away from your computer you have the same concern. Most people however have their phones on them at all times, it is the one thing you are almost never without.
Aren't the readable passwords you recommend (like “sublimecrocodile”) less secure than long strings of random characters?
When combined with a common password like 15AZ!$, the passwords are more secure. Additionally, many websites have measures against brute force attacks such as locking your account out after a number of failed attempts. You can also take into account the importance of the site you are storing a password for, and if you like you can use a more difficult to type password for your brokerage account for example.
What if my phone number changes?
You can request by text message that we send you your complete list of passwords. For security reasons we can only text this to your existing phone number, so you must request this before your phone number changes. You can then send us back the list of passwords to import into your new phone number. For help with this contact us at email@example.com.
Is this Open Source?
If you want to peek under the hood and see for yourself, our source code base is entirely open source, hosted at https://github.com/forgotpw
Can I remove all my stored passwords?
Yes, at any time you can completely remove all data you have provided us.
Soon you will be able to request your passwords with your voice by asking Amazon Alexa.
Say "Alexa, ask Rosa for my password to Amazon.com.", and Rosa will text a link to your phone to retrieve your password.