Separate Password for Proton Pass
I don't use ProtonMail as my default mail service, therefore my Proton account is protected by a generated password that I can't and don't want to remember (using Bitwarden).
Having a way to use a completely different password than the one of my proton account to unlock Proton Pass will be a dealbreaker for me.
You can now set an extra password for Proton Pass in addition to your Proton account password, allowing for better compartmentalization and peace of mind. https://proton.me/support/pass-extra-password
This feature is rolling out today to all Lifetime plans, followed by a staged rollout for Unlimited plans, and it will be available to everyone else over the coming days.
-
spoon commented
This needs to happen. Having the same credentials for mail and pass is a dealbreaker for me.
-
Ron Jackson commented
Completely agree. I still use Bitwarden for this reason.
-
Paul commented
100% agree with this. If someone gains access to your email account password they literally have access to everything.
Side scenario I just ran into that would also encourage a separate password. I updated my Proton Email password and used Proton Pass to generate a password. Guess what happened next? Once I updated my password it logged me out of Proton Pass and needed my new password. However I don't know it since it was generated by Proton Pass. I tried to reset my password and then needed my phrase. Oh guess where that is? Yep, Proton Pass. If I had a master password that was separate I wouldn't have had this problem.
Luckily for me I still have my LastPass Manager to get my phrase.
-
Username commented
Other Proton services offer this feature, and this is a security feature that should be implemented.
If your email or calendar account is compromised, that's an issue and potentially very damaging.
But by having a password manager, Proton have made the target on themselves even larger. They have become even tastier, remember this is publicly in response to the fourth LastPass hack. With LastPass they just had all your passwords, saved cards, addresses, social security and so on. With Proton they'll have all that plus your emails, plus your online storage, plus your 2FA if you add it to ProtonPass (you can).
If your ProtonPass + 2FA has a separate password to the rest of the account then that at least is a more laborious compromise than a total open-sesame as it stands currently.
-
Ranakan commented
I totally agree. That's why I use mostly BitWarden : "Don't put all your eggs in one basket".
This should be an option in order to have more security layers on your account. Especially if you want to import all of your credentials on Proton Pass. -
A Doug commented
Ehhh, this should never be done... This would be going backwards in time. The point is to have a single secure identity to access your secure services (email, cloud storage, VPN, passwords). Why not figure out a strong enough password that works for you and use MFA on your account?
-
Bassam Saleh commented
add the ability to change the master password for proton pass. Since I use proton pass not other proton services
-
polanri commented
I deactivated 1Password everywhere and replaced it by Proton Pass, I really hoped to ditch my expensive 1Password subscription thanks to Proton Pass but I can't just yet.. Yesterday I updated iOS and after the iPhone restarted, the first service I needed to log in prompted Proton Pass screen asking me to log in with my Proton account and password (instead of a password I can remember, or a biometric / 2FA authentication..) so I had to launch 1Password to retreive my Proton account credentials \o/
-
Anthony commented
Needs to happen.
-
J.A commented
It would be more secure to have the option of being able to use separate passwords for each service (P'mail, P'drive & P'pass).
If your mail account was compromised by a user, that user has access to everything.
It should be optional. Some folks may prefer a single login, others may prefer a more secure environment where each service has its own password.
-
EntHerder commented
I understand the importance for you to centralize everything in one place, and I am aware that Proton is a reliable company when it comes to security, which is why I have been using Proton for years. However, it would have been preferable to have the choice between linking ProtonPass to one's ProtonMail account or creating a separate account, just like it is possible with Bitwarden. In fact, I specifically use a password manager (Bitwarden) with very strong passwords for Proton and many other services. The only password I easily remember is the one for Bitwarden. I was very excited about the release of ProtonPass, but ultimately, it won't work for me at the moment.
I have noticed that many users share the same opinion, and I hope you take it into consideration.
By the way, it would have been nice to have at least two vaults available in the free version.
-
Paul H commented
I can see the difficulty in implementing this. You don't need to purchase mail to purchase vault. So everything is behind a Proton account. It's not behind your Mail account. Mail is just a service that uses your Proton account. Single Sign on would break with this too. It's hardly a giant security concern as virtually all security-minded companies have SSO. If they break your email, they can reset most service passwords anyway. So having a different one doesn't really matter. Just turn on 2FA. It's infinitely better for security.
-
User commented
I would say that the more important reason is to not have all your eggs in one basket. If Proton is your main email then it getting compromised would also mean your password manager being exposed. Just to not over rely on a single point of failure I would require at least different passwords. An independent TOTP for Proton Pass would be ideal.
-
Tim Z commented
This is exactly my situation.
-
Em commented
This is a pretty good point and partly why I will not move away from keepass. But it doesn't invalidate it as something I'd strongly recommend to my friends that would otherwise just use the same password for everything.
-
[Deleted User] commented
I use a password manager so that I won't have to remember my password to emails and such. Hence, using the same password for the manager and for the proton account defies the point.
Additionally, it is bad practice to have the same password for two online services -
AUser commented
This would be invaluable, I'm in a very similar situation. Lack of ability to sign into Proton Pass using a standalone set of credentials is blocking me from migrating from Bitwarden full time.
-
Y commented
Yep, would be great unlock our vaults with a password locally, so that even linked to our Proton account, we can use a proper password on ProtonPass.
I so agree with "ohoh" comment below. Too much concentration is not a good security way.
-
Y commented
Like on Bitwarden, let the user choosing for password unlock (rather than PIN) on web and smartphone versions.
Like on Bitwarden, allowing to create a master password, uncorrelated to the our Proton account credentials.
-
Paulo commented
Much like other services offer, using a master password to open the vault is a must, it's way more secure than using a pin
EDIT: Users are logged out after 3 failed attempts to protect against brute force attacks