Proton Pass’s code has been made open source and passed an audit carried out by the security experts at Cure53.
Hey,
Proton Pass is open source and has now passed an independent security audit (by Cure53). The Android and iOS apps source code can be found here, the browser extensions source code for Firefox and Chrome-based browsers (including Edge) can be found here.
Proton has also completed an independent security audit conducted by Cure53 for all Proton Pass applications and browser extensions, along with the Proton API. This was a “white box” audit, meaning the security researchers were given full access to the Proton Pass source code, along with full access to Proton Pass engineers.
More information can be found in the blog post over here. The audit report can also be found in the blog post.
A bit short sighted to not have Proton Pass Family plans; I have 7 other people on my password managers that share vaults; trying to bundle Pass into the Proton Family suite (mail, storage, etc.) is going to miss a decent amount of users who are only looking for a password manager.
I’m using it but it is terribly buggy. Auto fill fails to work majority of time in chromium based browser. It fails to auto save passwords it generated, it suggests passwords generation for login forms and so on.
Despite them saying it’s out of beta, it definitely looks like it’s a beta.
I worry about putting all my eggs (calendar, mail, drive, etc.) in the Proton basket, as much as I like it. I fear a future where they turn evil and I have to de-google my life all over again.
I’ve been using Proton pass for about a week and it’s okay so far.
Importing passwords from another manager is pretty easy, except that it can only be done from the browser extension. I had to dig out my laptop to import my passwords which was kind of annoying since I rarely use it.
Proton Pass also doesn’t work great on mobile, it rarely recongnizes username fields in my browser. This means I have to manually copy/paste my username and password from the app to the browser to login, which is annoying.
I really like that Pass automatically generates a private email address for each website, but I’m not sure how useful that is in terms of privacy because I still have to get things shipped with my real name and address.
Another nitpick I have is using the same password for my email to also secure all of my passwords and generate my TOTP for 2FA. If my Proton password gets compromised then all of my passwords, my 2FA, and my email are compromised. Seems like a pretty serious security risk, but I’d really appreciate it if someone who knows more about security could explain to me why this is actually okay.
Another nitpick I have is using the same password for my email to also secure all of my passwords and generate my TOTP for 2FA. If my Proton password gets compromised then all of my passwords, my 2FA, and my email are compromised. Seems like a pretty serious security risk, but I’d really appreciate it if someone who knows more about security could explain to me why this is actually okay.
Personally I don’t use 2fa in my password manager unless it’s something I don’t care too much about securing because of everything you said. I use bitwarden but they offer the same service. My boss uses it and I can’t understand why he would trust one password to secure literally everything. Seems too easy to hack compared to keeping 2fa separate.
Not sure if I qualify for that, but just logically, there’s only really a difference if you are not planning on storing your email password in your password manager anyway. If you do that, it doesn’t really matter that you have the same password for both, since if your password manager is compromised, your email is just as compromised.
But, and it’s a big “but”, that’s assuming you’re using a cloud-based password manager that only requires a single master password to get into. My point of reference here is 1Password, where that’s not enough - you also need a device with which you have logged in before, or you need your long, unmemorable Secret Key in addition to your password. You cannot log into 1Password on a new device with just your master password, the way that it appears to be possible with Proton.
I was already paying for both Proton and Bitwarden, I’ve been trying Proton Pass out since it released and it’s nice, seems to do what I need, I might not renew my Bitwarden subscription.
If you use an IMAP email client the ProtonMail Bridge works great on Linux. VPN works well from the command line, though the GUI is still pretty clunky and RAM heavy and either way they really need to make Wireguard and Stealth available on Linux already.
The official ProtonVPN app on Linux has a lot of problems, like a memory leak that exists since years now. At least for me, only the cli without graphical interface works (but does so very well after some tinkering). The lack of Linux support (especially no Linux app for the drive) has frustrated me to the point I am regularly questioning my Unlimited subscription.
But I agree in general, you can get around a lot of the Linux limitations by using browser extensions like the ProtonVPN one. And overall the addition of new services and great security outweighs the lack of Linux support.
There is zero support for drive under Linux which is the major reason I haven’t migrated my workspace org yet. I’d like to ditch Google, but I automate backups with rclone to gdrive and that workflow can’t currently be replicated under proton
I’ve been using Bitwarden for a long time and I’m mostly pretty happy with it. I know that, other than the platform’s level of security, there’s not much to compare when it comes to something like a pass manager, since it only has to do one thing. But does this one have or do something that would make me move to it?
I don’t think this is aimed at people who selfhost their own Password Manager. The only real “draw” it would have for those who do is the ability to consolidate your Pass Manager, VPN, and Email into one service.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !protonprivacy@lemmy.world
Empowering you to choose a better internet where privacy is the default. Protect yourself online with
Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.
Proton Mail is the world’s largest secure email provider. Swiss, end-to-end encrypted, private, and free.
Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.
Proton Calendar is the world’s first end-to-end encrypted calendar that allows you to keep your life private.
Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It’s open source, publicly audited, and Swiss-based.
Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.
SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.
A bit short sighted to not have Proton Pass Family plans; I have 7 other people on my password managers that share vaults; trying to bundle Pass into the Proton Family suite (mail, storage, etc.) is going to miss a decent amount of users who are only looking for a password manager.
Vault sharing is coming. There is no info yet how it will work though
deleted by creator
I’m using it but it is terribly buggy. Auto fill fails to work majority of time in chromium based browser. It fails to auto save passwords it generated, it suggests passwords generation for login forms and so on.
Despite them saying it’s out of beta, it definitely looks like it’s a beta.
I worry about putting all my eggs (calendar, mail, drive, etc.) in the Proton basket, as much as I like it. I fear a future where they turn evil and I have to de-google my life all over again.
Why should they do that? We are their customers. Google is selling ads. We are googles product for their paying customers, companies.
The good point is, you don‘t have to do that. No one is forced to use all the services provided
Yeah. I’ve been avoiding Proton in general for this reason.
I’ve been using Proton pass for about a week and it’s okay so far.
Importing passwords from another manager is pretty easy, except that it can only be done from the browser extension. I had to dig out my laptop to import my passwords which was kind of annoying since I rarely use it.
Proton Pass also doesn’t work great on mobile, it rarely recongnizes username fields in my browser. This means I have to manually copy/paste my username and password from the app to the browser to login, which is annoying.
I really like that Pass automatically generates a private email address for each website, but I’m not sure how useful that is in terms of privacy because I still have to get things shipped with my real name and address.
Another nitpick I have is using the same password for my email to also secure all of my passwords and generate my TOTP for 2FA. If my Proton password gets compromised then all of my passwords, my 2FA, and my email are compromised. Seems like a pretty serious security risk, but I’d really appreciate it if someone who knows more about security could explain to me why this is actually okay.
Personally I don’t use 2fa in my password manager unless it’s something I don’t care too much about securing because of everything you said. I use bitwarden but they offer the same service. My boss uses it and I can’t understand why he would trust one password to secure literally everything. Seems too easy to hack compared to keeping 2fa separate.
Not sure if I qualify for that, but just logically, there’s only really a difference if you are not planning on storing your email password in your password manager anyway. If you do that, it doesn’t really matter that you have the same password for both, since if your password manager is compromised, your email is just as compromised.
But, and it’s a big “but”, that’s assuming you’re using a cloud-based password manager that only requires a single master password to get into. My point of reference here is 1Password, where that’s not enough - you also need a device with which you have logged in before, or you need your long, unmemorable Secret Key in addition to your password. You cannot log into 1Password on a new device with just your master password, the way that it appears to be possible with Proton.
I use Bitwarden but this is good news for everyone, well done.
I was already paying for both Proton and Bitwarden, I’ve been trying Proton Pass out since it released and it’s nice, seems to do what I need, I might not renew my Bitwarden subscription.
Side question because I’m migrating to Proton now.
Free account.
I found the tasks to double storage for Proton Mail and Proton Drive—am I missing any other freebies like this?
No, doubling the storage to 1GB is the only freebie like that currently
deleted by creator
nice
Lack of Linux support for their apps for me is a reason I’d still only ever pay for premium mail from Proton.
I’m still on Bitwarden because linux support.
If you use an IMAP email client the ProtonMail Bridge works great on Linux. VPN works well from the command line, though the GUI is still pretty clunky and RAM heavy and either way they really need to make Wireguard and Stealth available on Linux already.
What benefits do the apps have over the browser extensions? ProtonVPN has a Linux package at least.
The official ProtonVPN app on Linux has a lot of problems, like a memory leak that exists since years now. At least for me, only the cli without graphical interface works (but does so very well after some tinkering). The lack of Linux support (especially no Linux app for the drive) has frustrated me to the point I am regularly questioning my Unlimited subscription. But I agree in general, you can get around a lot of the Linux limitations by using browser extensions like the ProtonVPN one. And overall the addition of new services and great security outweighs the lack of Linux support.
That’s very unfortunate about the Drive app. I just configure OpenVPN on my Linux servers.
deleted by creator
Just what I’m used to. Wireguard would be the better choice.
There is zero support for drive under Linux which is the major reason I haven’t migrated my workspace org yet. I’d like to ditch Google, but I automate backups with rclone to gdrive and that workflow can’t currently be replicated under proton
I thought Proton doesn’t have a drive app for any platform. The WebUI is the only way to use it.
They’ve released a Windows app and Mac OS is in beta. Linux is not happening anytime soon
Ah darn. I had believed it would be arriving later this year.
I’ve been using Bitwarden for a long time and I’m mostly pretty happy with it. I know that, other than the platform’s level of security, there’s not much to compare when it comes to something like a pass manager, since it only has to do one thing. But does this one have or do something that would make me move to it?
The built in 2 factor authentication and built in simplelogin are the best assets.
I don’t think this is aimed at people who selfhost their own Password Manager. The only real “draw” it would have for those who do is the ability to consolidate your Pass Manager, VPN, and Email into one service.
deleted by creator
Well done! Glad to see it. This is the way to build trust in security.
Yeah, I have to say, I’m really happy with the transparency coming from Proton. It was a big motivator for me to upgrade to Unlimited.