While I like players such as Proton entering the Password manager space, I hope they don't lose focus with the multitudes of products.
What I liked about Proton was the simplicity on just one product and executing it well, but lately they've kept on adding new products some in their wheelhouse and aligns well (VPN for example), but some a stretch (Drive/Calendar).
I feel like drive and calendar go with e-mail fairly naturally. The play seems to be giving people willing to pay for a google alternative everything they'd want to replace. They can't give them everything but, encrypted storage feels like a fairly simple thing to provide and calendars are a well trod problem space.
Overall though, I agree with you. Proton seems like a solid company with good offerings and it would be a shame if they lost quality in their core offerings for the sake of adding features.
Only their mail product was vaguely good, but became very outdated as the years went on. I liked Proton VPN but ultimately ditched the whole in favour of better value, better UX, more features.
Sure, but this is for the same exact thing. It's easier to distinguish between proton the online service and proton the runtime, compared to pass the password manager and pass the password manager.
With how Proton handled the French climate activist debacle, who is going to trust this over pretty much any alternative if they're concerned about privacy or security?
The general gist is that any legal, above board company providing privacy-oriented services is subject to the laws of where they operate, ergo, if privacy and security is something that matters to you, don't trust a third-party because they will want to stay in business.
They received a court order, they cooperated with the police, for better or worse (I have zero opinion on it; frankly don't care), and handed over a customer's IP, which led to the arrest of the activist.
The problems that Proton is trying to solve, e.g., email, are better taken care of by other tools depending on a user's threat model. Likewise, if someone actually needs privacy and security because their life is on the line in an oppressive regime, utilizing a service like Proton's is a shit idea.
It's hard to take it seriously when you invoke an XKCD comic in threat model documentation. It isn't cute.
Anybody receiving sensitive information via email is doing email wrong. Email in and of itself is not fit for purpose as anything but a means of notification that something needs their attention on x, hence banks tell you to login to read a sensitive notification, hence the government tell you to login to the web portal to read a message.
They have a link, mostly near the bottom of the report, as a way of (politely) saying that their service won't protect you from "rubber hose cryptanalysis".
It's a cheeky way of saying "this won't stop people from torturing shit out of you", and the rest of the article looks fine.
It's hard to take a poster seriously when they dismiss the entire model based on a hyperlink who fails to address the points in the model.
I'll agree with your point about email though: it's a tool for correspondence, not for secure transfer of sensitive info.
Proton Pass utilizes end-to-end encryption, so not even Proton can decrypt user data, and there have been hundreds of court cases that have proven that Proton's encryption cannot be bypassed by court orders.
Proton like all law abiding companies must follow court orders. But unlike most companies, Proton actually fights in court and won a legal victory against the Swiss government after the case in question, overturning an earlier ruling that email providers can be classified as telecommunications providers. Details here: https://proton.me/blog/court-strengthens-email-privacy.
Who said anything about encryption? The problem at hand is handing over IP addresses of a customer when they themselves are peddling a supposedly privacy-oriented service. The fact remains: it isn't fit-for-purpose, and these are non-solutions to real problems for anyone who isn't just LARPing a threat model.
Replace "French climate activist" with "dissenter in an oppressive regime" and that person would be dead.
Who cares if they later won in court? They still threw someone under the bus. Trusting a third-party business who is subject to the laws of where they operate means this will always be a problem, doesn't matter if they're an email provider or a VPN operator, the solutions aren't fit for purpose.
It does resist casual or accidental leaking, and is even proof any form of disclosure if you have stopped using the service altogether, but is absolutely not robust against rogue employee, rogue company, legal compulsion, infiltrating attacker, &c. as long as you continue to use the service.
If you want actually valuable end-to-end encryption, start by getting your software and network services from different providers. (And avoid the web’s distribution model like the plague, and probably mobile app distribution models too.)
Every time I read about Proton I remember about that time CIA/BND created a fake crypto company in Switzerland because the country was perceived as neutral and used it to sell backdoored crypto equipment.
Crypto AG wasn't a fake crypto company; it was a real crypto company selling a product with a CIA/BND backdoor.
Proton makes open-source alternatives to big tech spyware and provides the service with a freemium model. Not sure what the comparison you're trying to make here is; they're both headquartered in Switzerland?
>Like all Proton services, Proton Pass will be open source upon release.
https://proton.me/blog/proton-pass-security-model So the beta isn't free software, but the release will be? I don't understand why you'd do that, surely the beta is when you most want people to try and break things, but the rest of their products do seem to be in their repos so it doesn't seem like a completely bullshit claim. https://github.com/ProtonMail
Unless something has changed, Proton's "open source" doesn't include the servers themselves, only the clients.
Whereas if you really wanted an open source server-based password manager, you could use VaultWarden with BitWarden clients, or one of countless other options. At this point, people are spoiled for choice.
That's the thing, it doesn't. It's lip service, as is so much in the industry. It's a buzzword on the marketing materials.
Unless you compile it yourself, which in the case of the server VaultWarden (Rust implementation of a BitWarden server), you absolutely can, otherwise you cannot be sure you can trust it.
It depends on what kind of software you need to assess. In the case of client side encryption, which is the market in which Proton positions itself, you can verify the security of the implementation by just looking at the client-side code.
If for some reason you end up needing to read the server-side code, then it would technically mean that client-side encryption has failed and does not deliver the necessary assurance.
If you think about it in terms of threat model, we are operating on the assumption that the provider may be malicious, or compromised. There is no context in which reviewing the source code of the server-side component would help us, because the provider would always be able to modify the source code, whether we read it or not.
On the other side if proton reveals the server-side part of the service, it would likely reveal nothing in terms of your security as a customer but it would reveal a lot of proprietary information that could help wannabe competitors.
(Another user) I've been trying to switch from Keeweb, and Vaultwarden is extremely keyboard-unfriendly in comparison. Perhaps the normal user only use it for auto-completing web forms using a browser extension, but I feel it's actively painful to use the web interface.
Have you tried the desktop application? (I haven't, but there is one, which is assumedly better)
If not, Bitwarden clients are open source, might be worth raising a feature request or offering someone a few bucks to implement what you want to see if you can't DIY.
With my particular use case, I don't auto-fill as that's a security vuln waiting to happen.
I’m guessing PassKeys / WebAuthn rolling out everywhere but at the same time not every site will get it I know. After all, there’s still sites in 2023 that ask users to limit their password length to 16 and only use certain characters.
Version 8 has been plagued with various bugs with editing, scrolling, sync and stability issues on the Mac and iOS apps. It has become extremely difficult to rely on, and really the only path back to stability has been to downgrade to 1Password v7.
> Version 8 has been plagued with various bugs with editing, scrolling, sync and stability issues on the Mac and iOS apps.
FWIW: I was a very vocal complainer about v8 issues and was actively searching for alternatives. However, v8 finally doesn't suck and I'm satisfied for now. I'm hoping they learned a bunch of lessons from that completely botched launch.
Hmm, maybe I’ll give it another go in a few months. I last tried it in January and immediately regretted the upgrade. Probably the most glaring issue for me was that the edit button opened a different item than what you were viewing, and resulted in multiple unintentional password overwrites.
hmm which OSX / iOS versions are you on? The OS-es I mean?
the latest ones? I'm on latest and it's been smooth sailing with 1P, but reading your comment, I am concerned I may be overlooking something, especially in the "sync" space as those kind of issues may creep up on you undetected
I last tried it in January and I was on the latest of everything - OSes, apps. I said this to the poster above but the straw on the camel’s back for me was when I realized hitting the edit button took me to the wrong entry and that I have unintentionally overwritten a bunch of unrelated passwords on the iOS app. Re: sync, I ran into some issues syncing between the safari extension and the iOS apps that resulted in some sort of reconciliation issue. I was already downgraded by that point though and not in the mood to investigate.
I've noticed that this only happens to me if I edit a login from the iOS password integration rather than from the app itself. For example, if I hit the password icon on the keyboard to bring up 1Password and create/edit a login from there, I'll encounter that same issue. One (rather annoying) workaround is for me to kill the 1Password app and when I reopen it, the last login I created/edited outside the app will pop up in edit mode. I close it and redo the process with the second last login I've created/edit popping up and I close it. I iterate until all the logins I've created/edited outside of the app stop popping up.
As of their releases from version 8 1Password went really downhill.
It's also just another electron web app and if there's one thing I don't want electron "apps" doing is storing my secrets.
They no longer support offline / non-cloud vaults and force a recurring subscription.
Beyond that it shows the kind of attitude that's present within their company now - it's all about cutting costs to sell as many recurring subscriptions to pay off their VC funding and investors.
As mentioned by others: cloud only, buggy electron clients (and seriously how can you trust electron with passwords), aggressively hostile to their paying customers, endlessly removing features that people rely on, removing usable keyboard navigation. I could go on for days.
> Like every other Proton service, Proton Pass will be open source and publicly auditable upon launch, so anyone can independently verify our security features and their implementation.
I doubt its going to include sever side code like bitwarden.
But I pay for proton and I'm happy to switch if their product can fully compete.
Genuine question - how is it useful for them to release the server-side code? How do you know for sure that the code they have released is the same as what they are running?
Having the server code would be useful for self-hosting, but if you're relying on Proton to host the code for you, then you have to have a certain level of trust with them regardless.
As a Proton Unlimited subscriber & general supporter of the company:
I don't care who it is hosting it, I don't want my password manager connected to the internet. There is cognitive dissonance when this community that distrusts IoT, call-home LLMs, URL bars that send data to Google and 5G-connected vehicles is willing to connect their most critical private data to a single, profit-seeking source-of-failure.
The password generation and encryption is an easy, solved problem that you can get for free! For any of these services, you're only paying for the UI, backup and internet connectivity. Companies have failed at this before and will fail again.
How do you sync your password manager between computers, out of curiosity? Most people put that file online somewhere they can copy it to other computers. Or is the ad-hoc nature of this usage a defense?
I use KeepassXC though, I'm still not terribly confident that I haven't lost data from forgetting to merge another modified database before overwriting it.
I've thought about doing this as well, but I really like the password manager integration in Firefox. How does the Keepass Browser Extension work? Is it as seamless and do you need to have Keepass running in the background at all times?
I have the same setup, Syncthing + KeepassXC with the add-on: it's not quite as seemless as the Firefox password manager.
You have to pair the add-on with the KeepassXC program once. Whenever you visit websites that you have saved passwords for, you are asked (via popup) if you want the add-on to fetch the login name and password (because it can handle multiple login combinations for the same websites). Then you have a second click on a small symbol next to the login form which then actually fills in your login data.
I personally use pass which out of the box uses git, meaning it's trivial to sync to as many devices as I want. And obviously merging is a solved issue there.
I can't answer for OP, but for me, I just don't. I prefer an entirely offline password manager, and that's the way I use mine (I use enpass). Except for backing up to the cloud, it does not really use the network. When I need a password, on my computer or on my phone, I look it up and transcribe it (I'm reluctant even to allow it to hook into the password autocomplete in IOS; I prefer to copy/paste because I don't really want any leak in the knowledge of where my passwords are stored).
I would actually prefer an even less feature-rich password manager. I've thought of trying to fork something like KeePass for my purposes (or use a restricted subset) but I haven't been willing to devote the time and effort necessary.
This is also what I do. 99% of the passwords in Keepass on my PC I don't need when out and about. The 10 that I do need I just keep updated in a vault on my phone. I don't like the feeling of my 'keys to everything' being hosted somewhere.
In a way, actually. If I use a self-hosted service for hosting the file and keep it open only to myself, then someone who wants that file is targeting me specifically. That's not something I'm particularly worried about. (Obviously someone worrying about that might reconsider this as a line of defense.)
i really hope its passphrase generation is on par with bitwarden. I'm not going back to a nonsense password generator, i hate typing these into other devices. Give me CorrectB4tteryStapleHorse! or no deal.
edit: i really like that they leverate simple login, that might be a reason to switch.
Ideally you shouldn't be looking at the actual contents of your passwords! All my passwords are long and, apart from my password manager which requires my devices and 2fa token, I won't log into any of them by typing a password.
I like line-noise passwords for most things, but I prefer random words (diceware style) for places a password manager doesn't work, which conveniently tends to be less sensitive anyways - if I'm entering a password into a TV one letter at a time on a remote that's not really meant for it, I prefer a friendlier password, but I also don't care if my Netflix password has as many bits of entropy as something important.
I have been a user of Proton since shortly after crowdfunding. I kick myself regularly for not buying a lifetime subscription.
I’m a Proton fan mainly for one reason - assuming that they aren’t a CIA company with back doors, my government must get a warrant to access my data there. This is my right and is recognized in the fourth amendment but increasingly my government chooses to ignore it. I am simply reasserting my rights.
Before I used Proton I used Hushmail for the same reason but they gave up years ago on innovation, and Canada is practically a totalitarian state nowadays anyway so I don’t trust them anymore.
I currently use Firefox for passwords, this syncs nicely between desktops and despite their awkward killing of Lockwise it still works adequately for logging in to Android apps. I don't see any compelling reason for me to switch here even though I already pay for proton mail.
I'm happy subscriber of protonmail and proton calendar. Those are products which provide some value to me, that other products can't (end-to-end encryted, privacy-first, ....).
I would like to see other apps such as proton contacts or proton notes, that provide the same values.
However, I'm not sure if we need another password manager, there are so many already that propose exactly the values listed above...
Another cloud based password security solution. The cloud is as reliable as the weather. Fairly reliable for the next 24 hours, until it isn't. Because gremlins. This is the reason I have to migrate away from 1password this year, what with manifest v2 deprecation and them abandoning personal vaults.
Although the company has good credit in terms of developing secure services, the idea of putting my passwords, my VPN and my emails in the same basket doesn't align well with my threat model. I'll stick to KeePassxc.
93 comments
[ 3.4 ms ] story [ 123 ms ] threadWhat I liked about Proton was the simplicity on just one product and executing it well, but lately they've kept on adding new products some in their wheelhouse and aligns well (VPN for example), but some a stretch (Drive/Calendar).
Overall though, I agree with you. Proton seems like a solid company with good offerings and it would be a shame if they lost quality in their core offerings for the sake of adding features.
They received a court order, they cooperated with the police, for better or worse (I have zero opinion on it; frankly don't care), and handed over a customer's IP, which led to the arrest of the activist.
The problems that Proton is trying to solve, e.g., email, are better taken care of by other tools depending on a user's threat model. Likewise, if someone actually needs privacy and security because their life is on the line in an oppressive regime, utilizing a service like Proton's is a shit idea.
Anybody receiving sensitive information via email is doing email wrong. Email in and of itself is not fit for purpose as anything but a means of notification that something needs their attention on x, hence banks tell you to login to read a sensitive notification, hence the government tell you to login to the web portal to read a message.
It's a cheeky way of saying "this won't stop people from torturing shit out of you", and the rest of the article looks fine.
It's hard to take a poster seriously when they dismiss the entire model based on a hyperlink who fails to address the points in the model.
I'll agree with your point about email though: it's a tool for correspondence, not for secure transfer of sensitive info.
Proton like all law abiding companies must follow court orders. But unlike most companies, Proton actually fights in court and won a legal victory against the Swiss government after the case in question, overturning an earlier ruling that email providers can be classified as telecommunications providers. Details here: https://proton.me/blog/court-strengthens-email-privacy.
Replace "French climate activist" with "dissenter in an oppressive regime" and that person would be dead.
Who cares if they later won in court? They still threw someone under the bus. Trusting a third-party business who is subject to the laws of where they operate means this will always be a problem, doesn't matter if they're an email provider or a VPN operator, the solutions aren't fit for purpose.
… unless they decide they want to, in which case they can, because they serve the software, and can thereby easily exfiltrate the key.
I have to keep on saying it: first-party end-to-end encryption is snake oil. https://hn.algolia.com/?query=chrismorgan+snake+oil&type=com...
It does resist casual or accidental leaking, and is even proof any form of disclosure if you have stopped using the service altogether, but is absolutely not robust against rogue employee, rogue company, legal compulsion, infiltrating attacker, &c. as long as you continue to use the service.
If you want actually valuable end-to-end encryption, start by getting your software and network services from different providers. (And avoid the web’s distribution model like the plague, and probably mobile app distribution models too.)
By default, who generates the keys?
If you are compromised and your software starts to exfiltrate the keys to a third party, how long do you think it would be before anyone noticed?
[0] https://proton.me/pass
https://en.wikipedia.org/wiki/Crypto_AG
As a rule, never depend on only one company for all your opsec. Use different companies for you mail/VPN/password manager/antivirus/...
Proton makes open-source alternatives to big tech spyware and provides the service with a freemium model. Not sure what the comparison you're trying to make here is; they're both headquartered in Switzerland?
Can you link to the open-source repository for this password manager?
https://proton.me/blog/proton-pass-security-model So the beta isn't free software, but the release will be? I don't understand why you'd do that, surely the beta is when you most want people to try and break things, but the rest of their products do seem to be in their repos so it doesn't seem like a completely bullshit claim. https://github.com/ProtonMail
Whereas if you really wanted an open source server-based password manager, you could use VaultWarden with BitWarden clients, or one of countless other options. At this point, people are spoiled for choice.
How does releasing an open-source version prove their production code doesnt have a backdoor in it?
Unless you compile it yourself, which in the case of the server VaultWarden (Rust implementation of a BitWarden server), you absolutely can, otherwise you cannot be sure you can trust it.
If for some reason you end up needing to read the server-side code, then it would technically mean that client-side encryption has failed and does not deliver the necessary assurance.
If you think about it in terms of threat model, we are operating on the assumption that the provider may be malicious, or compromised. There is no context in which reviewing the source code of the server-side component would help us, because the provider would always be able to modify the source code, whether we read it or not.
On the other side if proton reveals the server-side part of the service, it would likely reveal nothing in terms of your security as a customer but it would reveal a lot of proprietary information that could help wannabe competitors.
The famous/traditional Switzerland bank privacy was severely weakened at US pressure.
If not, Bitwarden clients are open source, might be worth raising a feature request or offering someone a few bucks to implement what you want to see if you can't DIY.
With my particular use case, I don't auto-fill as that's a security vuln waiting to happen.
FWIW: I was a very vocal complainer about v8 issues and was actively searching for alternatives. However, v8 finally doesn't suck and I'm satisfied for now. I'm hoping they learned a bunch of lessons from that completely botched launch.
Edit: looks like someone has posted about the issue in their support community although it has devolved a bit into a hot topic. https://1password.community/discussion/138165/edit-jumps-to-...
It's a rather peculiar bug.
It's also just another electron web app and if there's one thing I don't want electron "apps" doing is storing my secrets.
They no longer support offline / non-cloud vaults and force a recurring subscription.
Beyond that it shows the kind of attitude that's present within their company now - it's all about cutting costs to sell as many recurring subscriptions to pay off their VC funding and investors.
I doubt its going to include sever side code like bitwarden. But I pay for proton and I'm happy to switch if their product can fully compete.
Having the server code would be useful for self-hosting, but if you're relying on Proton to host the code for you, then you have to have a certain level of trust with them regardless.
I don't care who it is hosting it, I don't want my password manager connected to the internet. There is cognitive dissonance when this community that distrusts IoT, call-home LLMs, URL bars that send data to Google and 5G-connected vehicles is willing to connect their most critical private data to a single, profit-seeking source-of-failure.
The password generation and encryption is an easy, solved problem that you can get for free! For any of these services, you're only paying for the UI, backup and internet connectivity. Companies have failed at this before and will fail again.
If I'm not hosting it then it isn't.
I use KeepassXC though, I'm still not terribly confident that I haven't lost data from forgetting to merge another modified database before overwriting it.
You have to pair the add-on with the KeepassXC program once. Whenever you visit websites that you have saved passwords for, you are asked (via popup) if you want the add-on to fetch the login name and password (because it can handle multiple login combinations for the same websites). Then you have a second click on a small symbol next to the login form which then actually fills in your login data.
I would actually prefer an even less feature-rich password manager. I've thought of trying to fork something like KeePass for my purposes (or use a restricted subset) but I haven't been willing to devote the time and effort necessary.
In a way, actually. If I use a self-hosted service for hosting the file and keep it open only to myself, then someone who wants that file is targeting me specifically. That's not something I'm particularly worried about. (Obviously someone worrying about that might reconsider this as a line of defense.)
edit: i really like that they leverate simple login, that might be a reason to switch.
I need to set that up then.
I’m a Proton fan mainly for one reason - assuming that they aren’t a CIA company with back doors, my government must get a warrant to access my data there. This is my right and is recognized in the fourth amendment but increasingly my government chooses to ignore it. I am simply reasserting my rights.
Before I used Proton I used Hushmail for the same reason but they gave up years ago on innovation, and Canada is practically a totalitarian state nowadays anyway so I don’t trust them anymore.
https://proton.me/blog/proton-pass-security-model
https://proton.me/blog/proton-pass-beta
From their existing github, i expect they will only open up the client part, unlike bitwarden.
I would like to see other apps such as proton contacts or proton notes, that provide the same values.
However, I'm not sure if we need another password manager, there are so many already that propose exactly the values listed above...
"Proton Pass is also one of the first password managers to include a fully integrated two-factor authenticator (2FA) and supports 2FA autofill."
Highly doubt that. There are already multiple password managers with the feature.