Proton Pass (Password manager)

Respectfully, I believe this is very poor advice based on a misconception.

Second, there’s quite literally zero increase in security when putting 2fa secrets in your password manager. What possible attack scenarios would it protect against?

It would provide protection in any attack scenario where any other form of (TOTP) would protect you, except for the unlikely scenario of a properly secured vault being breached. When comparing between TOTP stored in your vault versus TOTP (or SMS or e-mail), storing TOTP in the vault is at least as secure as the others in all areas except for one of the less likely scenarios (a vault breach).

As you correctly stated hardware keys are a separate topic that shouldn’t be grouped into a comparison of TOTP stored in the password manager vs TOTP in a standalone app, so lets leave them out of this discussion.

Compared to TOTP through your password manager, you will be marginally more secure with a separate (password protected) TOTP app against one threat vector, and marginally more secure with hardware 2fa than any form of TOTP. But the difference is marginal.

In a nutshell my perspective is this: If you want the absolute highest security a hardware key/token is the best choice for a 2nd factor. But if TOTP is sufficiently secure for your threat model, the difference in security between a standalone TOTP app and using your password manager as a TOTP app is at best marginal, and you should choose whatever is most comfortable/convenient for you or whatever makes you feel comfortable.

It would provide protection in any attack scenario where any other form of (TOTP) would protect you

But what specific scenarios would 2fa, (when having 2fa secrets stored in the same PW manager), protect against? The two I mentioned weren’t prevented when storing 2fa secrets in the PW manager.

1 Like

Proton Pass has been released to everyone.


I gave it a try. For the coming year I’m going to still use bitwarden. Is so much better right now, and also I already have it configured like I wish.


Tried proton pass specifically for 2fa topt codes. Happy it works but sad its a paid thing. Game over. Until they make it free 2fa top codes i cant use it for I’m poor af.

1 Like

We wouldn’t be removing it unless there was something wrong with it. After all it is the only option with self hosting capability.

As for storing TOTP codes in a hosted password manager, it’s not ideal because it’s really reducing security to one thing - authentication to your password manager. Also we wouldn’t suggest storing once-use “backup codes” in there either.

For once use-backup codes I don’t store these on my devices. Something like a LUKS/VeraCrypt container on a few USB sticks or backed up offsite is enough. You could even attach the LUKS container to your password manager and that would not reach the filesize limit, after all the backup codes are only text files and there is no reason the container couldn’t be 50MB. That way even if access to your password manager was gained the encrypted file would still require a separate password. Obviously don’t store that password in Bitwarden, if you do that.

For convenience however I can see the reason why people might just use a password manager for storing TOTP codes. If you’re going to do that I would think about the value of such codes, for example I would not store a domain/email TOTP secrets in a password manager. It would be totally reasonable to have Aegis with those two things in it, while storing other less valuable TOTP codes in Bitwarden. The exported Aegis JSON file could be added to your LUKS container however for backup. Another good thing to add there would be your LUKS volume headers.

TOTP codes are not the strongest way to do MFA because they rely on a shared secret. FIDO based security such as using a security key is always the better approach because it provides attestation and doesn’t require the service to hold any private secrets, that makes it the “best” security.


I don’t know why this is seemingly impossible to find out, but I want to know if you link a paid Proton Pass account—not Unlimited/Business/Visionary, just the standalone Pass subscription—to a free SimpleLogin account, does it upgrade that SimpleLogin account to Premium status?

If anyone has tested this and knows for sure, please let me know.

The mail addresses generated end in

But the generated passinbox address already appears in Simplelogin.

When I look in SimpleLogin in the PGP settings it says: This feature is only available in premium plan.
Despite the fact that I have Proton Plus.

Proton Mail Plus or Proton Pass Plus? Mail Plus does not come with SimpleLogin. I’m trying to figure out if Pass Plus unlocks SimpleLogin Premium features.

Only Pass Plus.

I can manage the aliases in SimpleLogin that I generated in Proton Pass. But I do not have access to SimpleLogin Premium features.

1 Like

Tried the Proton Pass app and extension as an Unlimited user. The extension version is nicer than Bitwarden for sure, it detects some website’s login field better, also offers a nice looking drop-down menu.

The app version however… is a bit lacking. One thing that always bugged me was the incomplete autofill implementation in password manager apps on android. Bitwarden got it right for both Firefox and Chrome(ium). For Proton Pass, it has some issues for usernames in Brave. Works for Firefox and Vivaldi though.

It is also mildly annoying the vault can only be managed from the extension and the app, visiting pass from the web just shows you the settings page.


I’m not really sure if I want to use it, but I’m tempted to pay the promotional price of $12 per year for the premium service. I quite liked the aesthetics, but I don’t use Proton’s email service much, so I wouldn’t use the hide-my-email system as often.

Generally, I use Bitwarden, and I like that you can paste the API key for the DDG hide-email service, but I have my doubts about this Proton service.

1 Like

God forbid they make some money. It’s $10 a year. :roll_eyes:


Anybody know if the Proton Plus subscription would include family accounts and sharing when those features launch?

1 Like

Interesting. What do you think about it?


That is quite bad. I was also suprissed proton doesn’t let you use webauthn fido2 like bitwarden does.

But all proton apps that come out of beta are still beta for at least a year.

The calendar app they have for Android is pretty much broken for an entire month already.


Oh, whats broken in calendar? Works perfectly fine here.

On my pixel 7 pro it constantly crashes when loading in start up of the app. Reinstall makes it work again for about half a day and then it’s crashing again. I assume it is something to do with the search feature and the local db being full but no way to asses that.

Hmm, cannot reproduce on a pixel 6 pro with graphene OS.

1 Like