I just posted about this issue on the Proton subreddit and got hundreds of comments. Here's what I found:
The majority of responses fell into two camps:
1. "Just use strong password + 2FA" - Many people said this isn't a real security issue because proper authentication layers are what matter. While I understand this technically, it still doesn't address the fundamental problem of expanding the attack surface unnecessarily.
2. "Use SimpleLogin/Pass aliases instead" - This was the most upvoted workaround (70+ upvotes), but it doesn't solve the problem for those of us who need actual email addresses for business communication. I need to send and receive emails professionally from my custom domain, not work around with aliases that require extra steps for every outreach.
The concerning part: Someone claiming to work at Proton messaged me directly saying "people like you made our work difficult because you will always find a way to complain about something" and criticized my post history. When I asked Proton directly if this person is actually on their team, I haven't gotten a response yet.
The validating part: Multiple users confirmed they face the exact same concern. Several mentioned that Outlook, Google Workspace, and Hostinger all offer this feature. One user who works in software development suggested Proton might be avoiding this because it's a foundational codebase issue that would require significant effort to fix.
My use case: I use one email address publicly for business - it's on my website, social media, business cards, everywhere. That same email can login to my Proton account. If my credentials ever leak (phishing, my mistake, whatever), attackers already have half of what they need because my login email is plastered all over the internet.
This isn't about replacing 2FA or strong passwords. It's about having basic security controls that are standard everywhere else. Proton, please at least acknowledge this request after years of community feedback.
Abhiman
I just posted about this issue on the Proton subreddit and got hundreds of comments. Here's what I found:
The majority of responses fell into two camps:
1. "Just use strong password + 2FA" - Many people said this isn't a real security issue because proper authentication layers are what matter. While I understand this technically, it still doesn't address the fundamental problem of expanding the attack surface unnecessarily.
2. "Use SimpleLogin/Pass aliases instead" - This was the most upvoted workaround (70+ upvotes), but it doesn't solve the problem for those of us who need actual email addresses for business communication. I need to send and receive emails professionally from my custom domain, not work around with aliases that require extra steps for every outreach.
The concerning part: Someone claiming to work at Proton messaged me directly saying "people like you made our work difficult because you will always find a way to complain about something" and criticized my post history. When I asked Proton directly if this person is actually on their team, I haven't gotten a response yet.
The validating part: Multiple users confirmed they face the exact same concern. Several mentioned that Outlook, Google Workspace, and Hostinger all offer this feature. One user who works in software development suggested Proton might be avoiding this because it's a foundational codebase issue that would require significant effort to fix.
My use case: I use one email address publicly for business - it's on my website, social media, business cards, everywhere. That same email can login to my Proton account. If my credentials ever leak (phishing, my mistake, whatever), attackers already have half of what they need because my login email is plastered all over the internet.
This isn't about replacing 2FA or strong passwords. It's about having basic security controls that are standard everywhere else. Proton, please at least acknowledge this request after years of community feedback.