Do you use an extra password for Proton Pass?

By default, your Proton Pass password is your Proton account password. Meaning that if a bad actor is able to log into your Proton Mail account, they can log into your Proton Pass account. This is a huge security risk considering all the sensitive information you store in Proton Pass.

For that reason, Proton has implemented the option to add a second password to Proton Pass.

1) Do any of you use this feature?

a) If not, why not?

b) If yes, how do you feel about having to remember 2 passwords?

To me, it feels impractical. Although I have a Proton Pass account, I only use it for managing my aliases, so I have not added a second password for that reason. I still use 1Password as my default password manager, and the only password I have memorized is the passphrase (master password) for my 1Password account. I cannot imagine having to learn a second passphrase. It’s not feasible for me.

THE SITUATION:

I am currently helping someone set up their Proton Pass Plus account on a new device. They also have a Proton Mail account linked to the same Proton account, that they do not use. For now, I don’t think it’s necessary to add a 2nd password for them because they don’t use Proton Mail. But if they did use Proton Mail, it would be too hard for them to remember 2 passwords, as it is for me too.

One of the core selling points of many password managers is that you only have to remember one password, and that’s it. I have been living by that rule for years. In my opinion, it’s a great rule.

PROTON SHOULD ALLOW CHANGING YOUR ACCOUNT ADDRESS

This is why I think Proton should allow you to change the email address linked to your Proton Pass account. The current way it works now is that when you sign up to Proton Pass, supposing you don’t have a Proton account yet, you can use any email provider to manage your account.

That means you can use a Gmail or Tuta address to log into Proton Pass. If you wish to change that later on, you can.

The Problem

However, once you link your Proton Pass account to a Proton address, they can never be unlinked. I don’t think this is good from a security and practical standpoint.

Not only does it force you to always use a Proton address even though Proton may not be your preferred email provider, but it also creates a situation where all your online accounts are at higher risk if you use a single password. It’s that or create a second password, which for most people would be hard to remember.

Needing 2 passwords is not a bad idea…

Back when Proton Mail started out, by default, you needed 2 passwords to log into your account. I was comfortable with this setting for a long time. I don’t remember if Proton had 2FA at the time, but needing 2 passwords was not a problem for me because I used a password manager and didn’t have to remember either of those passwords.

…but not ideal for a password manager that’s permanently tied to other accounts.

Proton Mail was the only service Proton offered back then. Now they have a full suite, and the situation they created with Proton Pass makes things complicated. I am sure there are some people whose primary email address is a Proton address, and you use Proton Pass with the same account, You may not want that to change, which is fair, but you’re still in this complicated situation.

BONUS QUESTIONS:

2) Regardless of what your password manager is, do you use a unique email address for it?
In other words, an address that you don’t use for anything else.

3) Do you save your Proton Pass password in Proton Pass?

I use a separate Proton account for Proton Pass.

If this wasn’t the case, I would have no problem with just making an additional password/passphrase. It doesn’t take much effort to memorize something, especially if you use it often—hell, without making any special effort, I’ve memorized dozens of passwords and phrases over the years just from having to enter them occasionally (and of course, I recognize this isn’t the case for everyone, but I don’t think it’s a problem for the majority).

Yes, convenience is a big part of using a password manager. But introducing a new factor like changing the associated address to avoid memorizing one phrase is a bit much, and I wouldn’t be surprised if this introduced new security risks. Also, can you not just memorize the Pass password alone, and store your main Proton password within it?

Bottom line, I don’t think anything has to be changed about the current system now that you can create a separate password just for Proton Pass. If that’s really a problem for someone, I would just recommend they use a different password manager and store their regular proton account information in there.

Is that deliberate? In other words, was it your choice? And if yes, why did you choose that option?

Yes. The reason I remember my password manager’s passphrase is because I type it every day, multiple times a day, on my desktop computer. However, because I use long passphrases with random words, I am not confident that if I could memorize 2 passphrases. I fear there’s the risk I’d mix words.

Have I ever accidentally learned codes because I use them frequently? Yes. I often use my friend’s grocery store loyalty card when I go to my local grocery store. I don’t have his card. But I have its serial number saved in my password manager, and because I frequently had to tell it to the cashier, I ended up remembering it by accident. But there were times when my memory was fuzzy, and I had to check my PW manager. Now I just use a picture of the card with the bar code and have it scanned by the cashier.

I don’t think that would work. You need your Proton account password to log into any Proton account, including Proton Pass. So both would need to be memorized.

As I said, I don’t have this problem right now because I only use Proton Pass to manage aliases. I don’t use it as my password manager. The reason I don’t use it as my PW manager, is in part because Proton can’t import many of 1Password’s item types, which is close to 40% of my items. There are other issues I have, but the point is, I have hope that in the near future Proton Pass will match 1Password’s features, and I’ll finally be able to switch. When that day comes, I will have to face this problem.

My friend also doesn’t have to face this problem because they don’t use Proton Mail or any other Proton product other than Proton Pass. But if that changes, they will also be faced with this issue.

You still find yourself in a situation where you have to remember multiple master passwords.
I think having the option to change the email address linked to your Proton Pass would be a better workaround, even if not ideal.

Curious what your answers are to the other questions.

I have once set a second password for Proton Pass, and then I forgot it (dumb guy) and had to ask the Proton support for help.

No I don’t use that feature. My Proton account password is already hard to guess and hard ro remember so I think it would be redundant to add another password and remember it.

I also use a separate account to manage my password, because the current “second password” setup is a mess. The implementation creates more problems than it solves, and it has already locked a ton of people out of their accounts. Instead of strengthening anything, it adds unnecessary hurdles, and if anything, increases the chance of security mistakes, and goes completely against what NIST actually recommends.

A dedicated password would’ve made far more sense, but Andy already confirmed not too long ago that this isn’t going to happen. I don’t have an issue with the idea of a second password in principle, but the way it’s handled right now puts you in an unnecessary risk window. Sometimes that risk is small, sometimes it’s bigger, but it’s definitely not a great setup.

Thank you for your valuable feedback.

You’ve heard stories of Proton users getting locked out because of having 2 passwords for the same account? Could you elaborate on that?

I agree that it creates unnecessary hurdles. It would have been less of a hassle if instead of needing a second password for Proton Pass, you needed a second password to log into the rest of your Proton account (Proton Mail/Drivet/VPN/etc…). That way, you can save the second password in your password manager, and you don’t have to memorize it. But I imagine that it could be complicated for Proton to implement such thing because all your Proton services are linked to the same account.

Which Proton services do you pay for and use in separate accounts?

Using 2FA with a YubiKey should pretty much remove that requirement. At least, I can’t immediately see how it could be bypassed.

A lot of people warned this would happen, and the moment Proton rolled it out, Reddit was flooded with post after post of users locking themselves out of their accounts. The irony is that this was entirely predictable. NIST’s guidance has always favored one long, complex master password or now as of August 2024, passphrase.

Passphrases are fine now too, but the modern recommendation means something closer to 64 characters, not a cute sentence with a couple numbers tacked on.

Now we’re in a situation where juggling two of those is a recipe for disaster for those who follow those guidelines, and with proton adding two passwords.

People build muscle memory around a single long password. You type it so often that your hands know it even when your brain doesn’t consciously walk through it anymore. Force a second one into the picture and suddenly everything that used to be automatic is now a pretty big liability. That’s why the floodgates opened so quickly, not only did we have people forgetting their new second password, they were colliding with that muscle memory and habit.

The reason users wanted a separate login for the password manager was for isolation. You don’t keep all your eggs in the same basket, especially when the “basket” holds the keys to everything else you own on said account. People could switch to a second manager like Bitwarden, but if Proton Pass simply had its own independent login, that separation would already exist without forcing people into extra services. That way, you could still stay in protons ecosystem, without your eggs in the same basket. If you wanted to use a different password manager, at that point, you’re only diversifying for the sake of diversifying with no real benefit.

This second password model mostly benefits a tiny subset of users with weak master passwords. It’s essentially the same philosophy behind 1Password’s “secret key” gimmick. Extra padding for people who pick a weak primary credential.

To be completely honest with you, if your master password is already extremely long and complex, the risk profile is already low, but that doesn’t mean zero. A separate password would still be the cleaner design as it essentially removes the all the eggs in the same basket scenario. That’s the problem we wanted to have solved.

In my case, I’m lucky as a visionary user, I got around the limitation by adding another user under my Visionary plan and using that second profile as my primary password manager. That way I still get separation between identity and secret storage. It’s not perfect, but it works for me.

I realize this is probably a little bit overblown, but in the world of security, there’s no such thing as redundancy.

But the rollout of this second password system solved a niche problem while creating brand new headaches for everyone who actually followed security best practices to begin with. And I do remember initially, there were a ton of users getting locked out of their accounts from Reddit post. It’s not as much anymore, but they do still pop up from time to time.

It didn’t really fix anything. It just complicated the lives of the people who were already doing it right.

Sadly, Proton still won’t let us disable TOTP and rely on a YubiKey by itself. And even if they did, that would only harden the login process, not fix the core issue. A hardware key protects authentication, but it doesn’t create any separation between the password manager and the rest of your Proton account. If the session ever gets hijacked, a token is stolen, or a malicious extension hooks into the browser after you’re already logged in, the vault is exposed along with everything else.

The request for a separate password was never about “making login stronger.” It was about compartmentalization. A second vault password would form its own cryptographic boundary so that the contents of the password manager stay sealed even if the main account session is compromised.

Like nothing is going to save you if your password manager credentials are stolen, but in this case, if your proton account was the one that falls, your password manager falls along with it.

Compromised vault first = Proton account credentials might be in danger
Compromised Proton account first = vault is definitely in danger

Is your TOTP also exclusively on a YubiKey?

I’m not so sure. Many websites require a phone number to enable MFA via YubiKey.
And I suspect that if you enabled MFA via YubiKey after giving a phone number, you could still lose access if you lose the number. At least early on. My advice to anyone using services like SMSPool is to keep the number for at least a month, and during that time, log into your account many times from different VPN locations, so their system is used to it.

I will have to look into that.

You could argue the real irony is Proton publishing an article last month about NIST’s latest 2025 recommendations.

That being said, AFAIK, the 2 password implementation in Proton Pass is not by default. You have to enable it. So I guess technically they are following the recommendations?

Yes. To be fair, most people do not use passphrases. There is not enough awareness about them. I just learned about them, maybe 2 years ago? People who use passphrases are an infinitesimal minority. If some of them use passphrases that are too short, it will be easy for them to adapt.

No, that is not the biggest problem the way I see it. The biggest challenges are:

1. Most people don’t know about passphrases, including businesses.

2. Most people, including companies and organization, do not know that the length of a password if is a bigger contributor to its strength than its character complexity.

3. Many websites don’t allow passwords longer than 16–20 characters.

Most of my bank passwords are less than 30 or even 20 characters long because they won’t allow longer passwords. And yet, they want to force facial recognition on us.

1000% agree.

Although I was not among them, people were right to complain. However, Proton’s solution is not great. Proton seems to have the habit of answering valid requests with subpar solutions lately. I don’t know why.

I don’t know if that’s the only reason 1Password has set up their system this way. I personally like this system and think that maybe Proton should copy it. I have not memorized my 1Password secret key. I have it written down on a piece of paper that is stashed securely.

I have never had to pull it out because I have 1Password installed on multiple devices already, which means that I never have to type it, even when I buy a new device. As long as I have a device where I am already authenticated with my secret key, all I will need to remember is my password.

No one answered this question:

Regardless of which PW manager you use, I am curious if anyone of you saves your PW manager’s credentials inside it.

I ask this because by default, 1Password saves all your 1Password credentials in their app. Meaning that in 1Password if I search for “1password” I will see all the credentials for my account: my master passphrase, e-mail address, secret key, and any information I may have manually added myself.

What do you think of 1Password having this default set up?
Should other password managers copy it?

At the very least, I think it would be a good idea for Proton to copy 1Password secret key model. That way you don’t have to memorize it.

Seriously, why would anyone use a fake number for Proton? All your stuff is there, and if you lost it, you’d be totally screwed.

edit. And if you can’t even trust Proton, then who can you trust?

Absolutely no one is suggesting to use a fake or real number to use with Proton. I don’t know how you got that idea. Furthermore, Proton doesn’t require you provide a phone number to sign up for an account or enable 2FA via authenticator app or YubiKey.

I’m not suggesting that anyone should not trust Proton. I would also like to remind everyone that many privacy companies, including Proton, subscribe to the value that you shouldn’t inherently trust them, hence the E2EE.

Right. I thought this thread was about Proton.