Proton Pass - Password Manager
How about a service like LastPass or 1Password to make it easy to store all passwords and secure notes either online and synced with other computers and devices, or locally on one device. A secure password manager using the best of ProtonMail/ProtonVPN services
Thanks for your support and feedback! In case you missed the launch of Proton Pass, here are a few useful resources:
- Download: https://proton.me/pass/download
- Launch blog post: https://proton.me/blog/proton-pass-launch
- Roadmap as of Oct 26, 2023: https://proton.me/blog/pass-roadmap-2023
-
Anonymous commented
I think that while integrating into the protonmail application might be handy, it brings with it a requirement that you be online to access the app.
I would rather see a standalone app capable of working both online and offline.
Why, because I use ridiculously long passwords for offline applications and yes, probably 40% of my day is working someplace where there is no internet connectivity.
My philosophy is to use the longest password the service or app will accept. The current range is 6 characters to 2k characters.
-
Anonymous commented
Could you add a crypted password manager in ProtonMail ?
I currently use KeePass. But I would love to use ProtonMail because it's more portable. My KeePass is not easy to use with several platforms.
-
James commented
The comment below is excellent, but RE: consolidation would increase the blast radius of an operational disaster, to me email is important to secure but not keep forever, passwords can be reset with email (for the majority) but private keys... well paper backups are still valid. But not being able to access or recover my email and passwords sounds like a really regretful day. A separate legal entity would also have its advantages, I don't live in a suitable country, but I am inspired to see what Protons open source libraries could be utilized to this end.
-
[Deleted User] commented
This is an essential suggestion. It seems multiple commenters do not fully get the requirements - Bitwarden is based in Santa Barbara, CA, USA. 1Password is owned by AgileBits Inc. which is based in Toronto, Ontario, Canada. Thus, both are, regarding their jurisdiction, nowhere near European privacy standards or legal protection. I use the latter when working for a Fortune 100 company, it is a good product, but it is just not a good fit for other cases. Similarly, KeepassXC is an amazing app that I value deeply, but its online syncing is clumsy (e.g. via Nextcloud mounts - which, again, is in itself a truly great product, just not to add password syncing as a hindsight into Keepass) and esp. when using many heterogeneous devices in parallel this can become a serious burden. Its audits have also suffered due to budget limitations. In addition, there are other great competitors that were for some reason not mentioned like Mateso Password Manager out of Germany, but oftentimes they are too difficult to set up for individuals or only support macOS and Windows rather than Linux [there was another great example out of Germany, but I can't recall their name. Still, many of the mainstream security suite tools come to mind, e.g. the password managers from Avast, Avira, GData, Kaspersky etc.]. In short: Being based in Switzerland with its strong expertise in security and privacy, a clean web platform, solid audits and good support for multi-factor authentication having a ProtonVault would be extremely helpful for me and many of my colleagues (including engineers at Fortune 500 companies and two top 10 universities). Taking into account the specific profile of people who subscribe to a service like ProtonMail as well as its recent diversification into contact and calendar management, having a password vault seems like a natural next step and a promising addition to your portfolio. I would certainly appreciate this a lot - my current private setup is based on Keepass and it is messy. If I could access this from ProtonMail, ideally also via a small platform independent tool (e.g. based on Qt), that would go a long way. Please take this suggestion into serious consideration and please do not forget to ensure it is usable on Linux (incl. natively if there is a native client).
PS:
I think the closest competitor in this space is actually padloc out of Germany. Many people have not forgotten recent security scandals (e.g. Snowden and the hack of the German chancellor). There is a list of password managers on Wikipedia (even though it is a bit old and incomplete), but looking at password managers you will find that virtually all password managers are US-based (iirc, this also includes LastPass, Keeper, Dashlane, onelogin), Devolutions is Canada-based, Intuitive is Australia-based - all Five Eyes states, so even while I still hold each country in high regards and even directly collaborate with them on several projects, I do think it is not at all unreasonable to assume that there is a market for a Swiss password manager from a company with a proven track record. Being located in Europe (at least EU + Switzerland + Norway) is a huge advantage regarding trust for many customers, even against NordPass (Panama, I think) or Enpass (India, I think). And in terms of attack vectors: In order to break into someone's Protonmail one already has to compromise their 2FA authenticator and email account - thus, rather than relying on yet another security provider it also does not seem unreasonable to consolidate everything in one service without increasing attack surface too much. [If you are an end user, there is unfortunately only so much you can to protect against a truly decisive attacker.] Finally, I wouldn't expect you to need to dilute your focus too much in order to add password management capabilities to ProtonMail. While Peter is certainly right that you need to make sure to deliver on the calendar functionality first in order to get a commercially viable component [I can't wait to have that production ready as well], there should be room for password management somewhere on your roadmap.I have already written too much text, but I hope I have shown that there is some merit in revisiting this feature request from 2017. The person who submitted it has a clear point - imho, there is a clear niche for it and it might be wise to assess it properly rather than dismissing it a-priori.
-
Peter commented
Honestly personally I would suggest to first focus on the core functionality for Protonmail, maturing the implementation of for example the calendar and contacts, before proceeding to start new branches of development while potentially leaving existing gaps unresolved until future
-
amilopowers commented
Use Bitwarden! OpenSource and very cheap for Premium. $10 a year.
Otherwise Proton could implement Bitwarden into their service.
-
Anonymous commented
Bitwarden is all I need
Open source, code audited good ux and ergonomics.
Free or 10$ yearly for premium -
Max commented
As an email provider focus on privacy and online security, integrating a password manager would be a good idea if you can offer more than any other competitors. Like apple with "Connect with apple", you could offer a full privacy connection to services, by providing a fake email adress and a strong password, linked to user protonmail adress. This way, Online service wouldn't know email adress of the user, all mail would be redirect to the true user email by Protonmail. This way it's protect online privacy and security by preventing personnal email to be part of a security leak in any service.
Some thing you could consider i guess, as i would make the world a safer place for everyone (if noone use the same mail twice, security breaches would be worthless for hackers), and convenient (by permitting user to suppress mail by adress to avoid spamming for services that you don't really care about)
And actually, this service provided by protonmail wouldn't even require to build a password manager, as it could use any software, juste providing proton"OneTime"Mail and generated strong password.
-
jeff stern commented
I agree with others:
a) please do not divide PM's resources,
b) and especially not into something which would only be a duplication of effort anyway.For me, I just use KeePassXC as my password vault, and then I use Syncthing to sync that file between my cell phone, work computer, and home computer. DONE. No cloud needed.
If you really WANTED to use a cloud, there are also plenty of zero-knowledge cloud services out there. I do like SpiderOak, but they explicitly say they do not do well storing databases or password vaults. I believe pw vaults have problems only because they are in essence databases, and the file can be in an indeterminate state when stored/backed-up. In my case, I solve this by once a day closing any open KeePassXC databases, then copying them to a local backup disk location, then SpiderOak *can* reliably store the backup location copy of my KP database because in that location, the KP file is always *closed* at the time of backup. Same basic method, btw, as how to back up our live database while still running: We export it (while running) to a text file format (which is allowed by the db software), then move the exported text file to the local backup folder, which is then (on next cron job) backed up to remote.
But if you don't want to use an already existing cloud, then at MOST, I would advocate a SMALL ProtonCloud for password vault files only. This could be under 1MB per person -- my KeePassXC file for instance has 564 passwords, but is only 134K).
I don't do it, but theoretically, of course, I could send myself my KeepassXC file once a week as an attachment from and to my PM email account. That would work, too, no?
I believe in a company doing one thing and doing it well. There is still plenty of room for PM to grow in the "well" part. For instance, ProtonMail Bridge / Linux is not published yet, and Dark Mode needs completion, and mail aliases have certain bugs. Not to mention all the other uservoice suggestions here. :-) PLEASE! Go "the Un*x way" and just do one thing and well. Thx!
-
Daark commented
This will be incredibly hard to rival with Bitwarden out there.
-
Zach commented
LastPass(LogMeIn Inc) has now been bought out by a major tech investor and I expect that means it will no longer be focused on security but rather pleasing shareholders at the expense of the customers. I'm sure I'm not the only individual now looking for a new trustworthy manager for my log in info. I'm hoping to hear about Proton Tech launching this as a service soon. I would be willing to pay a premium for the added utility and for the convenience of only having to research one service provider for all my privacy and security needs.
-
Anonymous commented
For me, the value of Proton’s service is where and how information is protected. All the other password managers are a court order away (or less) from giving up all of your stores passwords. That’s not an option for Proton. Suggestions to use existing managers are trying to address the wrong problem IMO. If I’m missing something, please tell me what it is.
-
brohelm commented
I request an integrated encrypted Password Manager into the ProtonMail web UI. It should use a separate password from the email password. So essentially you would need to log into protonmail email FIRST before you could enter the login to the password vault using its own unique password. Refer to Countermail .com for similarly implemented password vault. Hope it helps and Thanks Proton!
-
Frank commented
If developing a full password manager is not viable or worthy, please consider creating a cloud service that can be easily integrated with renowned open-source password managers such as KeepPass
-
Somebody commented
Same as ProtonBrowser delirium or whatever: there are already very good, well-maintained, open-source, audited, cross-platform options around there.
Don't waste your time in reinventing the wheel. Others are currently building it every day. -
Anonymous commented
Enpass allows a user to store all files offline on any disk. It's not as pretty as the main players but it's always getting updated and it doesn't force update. You can opt in or out without delay each update. The other thing I like is that you get the option of downloading the app from enpass not from stores. They also have a similar active users forums for ideas and there's always enpass input. I've been using it for years. The password system is pretty extensive and they have all sorts of checks you can do for keeping things secure. The favourite feature for me is being able to store backups completely offline in multiple locations and having the choice of not having to sync online to get all devices on par. It's also a bargain because it's one payment for life.
-
Matt Skillman commented
I would love this! I have been arguing with lastpass for a week. I would never have used their service if I had know that they literally have *no* technical support you can call on the phone when things get dire
-
RS commented
Create a stand-alone Password Bank or Vault (not part of Protonmail) for use only locally on a user's device -- not stored in the cloud.
-
Aerion commented
As others have pointed out, this would be a waste of Proton's resources.
Go with Bitwarden. It's open source, cheaper than the alternatives, has support for multiple 2FA methods (U2F keys, non-U2F Yubikeys, TOTP, Duo Security, SMS), and it's super cheap at just $10 a year.
-
Protonymous commented
Omg people..
Think about Proton! Threat Model! They are doing us well enough with what they provide.