*: the server code for PP isn’t open source for several reasons:
it’s based on the same backend as other proton services and isn’t designed to be self hosted (it has a lot of components)
open sourcing doesn’t add any benefit as data is always E2E encrypted & decrypted client side, meaning when data is always in the E2E encrypted form when it’s sent to the server. The server can be seen as a simple sync proxy to pass data from a device to another in a reliable way.
it has a lot of anti abuse logic and if public, will allow abusers to find workarounds. Anti abuse is an important topic when a service has a lot of users and some bad people can negatively affect everyone else.
Well currently I still find Proton Pass to be rather lacking in certain areas. For example its still impossible to import or export your data on mobile, it just redirects you to the desktop browser extension.
Could you please share the cryptography audit report?
I see a pen test report online in the Cure53 site, but nothing about your use of cryptographic principles which is especially important for a password manager.
Other than citing common best practices that might be implemented, as a user I would like to be assured that it is cryptographically secure.
Hi we have prioritized the export on web first as most password managers only allow to import/export on their web versions. That being said, Proton Pass will allow to export from its mobile apps, should be available in Sep or Oct this year.
Not sure if this gives me anymore confidence than before. I don’t quite understand why Cure53 was not commissioned to carry out a cryptographic audit especially since you mention it to be similar across all the Proton apps. Just declaring to use end-to-end encryption is not at all the same as to how it is actually implemented and the only way to have a peace of mind in this situation is to have a third party audit of the cryptographic implementation.
Proton Pass is out now and 2FA is also only a paid service, just like Bitwarden.
It’s even gonna be more expsensive than Bitwarden, as their 75% offer costs $1 per month (vs $10 per year for Bitwarden), which won’t stay forever.
If there’s a reason to list Proton Pass INSTEAD OF or BEFORE Bitwarden, this might be for the eco system integration (if you have a paid Proton Account, creating email alliases would be easier and depending on your account type you can use the 2FA), or better UX (I didn’t compare both but I heard people complaining about Bitwarden’s UX/UI).
There’s something I don’t understand about Proton Pass.
I currently use Bitwarden to connect to Proton services (including Proton Pass) and I have to enter my email address, a complicated password and the 2FA (classic).
I would have liked to use a complicated, but easy to remember, password to access Proton Pass (like Bitwarden) and a different password for the other Proton services so as not to “weaken” the password for accessing my Proton emails, drive and calendar.
At this time this is not possible. There was an explanation given my one of the Proton Pass people that they do not consider this a real risk, so I would not expect a fix in the near future. You could use a separate account just for Proton Pass.
It is possible to register a Proton Pass account using a non-Proton email. I don’t know if it is possible to remove the Proton Pass function from an existing account.
I’ve been on KeepassXC for many years now (I’ve also taken a look at Bitwarden) and in my opinion, it is inferior to both aside from the UI.
Here are deal breakers for me:
No folder support. It has vaults but only up to 20 even for Unlimited users. I don’t know why this limitation is in place. I use folders a TON for work accounts (different folders per project).
No attachments. KeepassXC and Bitwarden both come with this feature and it’s important to me to have all documents related to an account be in one place (scanned documents).
No full history for passwords and fields. I can tolerate not having histories for other fields (KeepassXC has history for all fields) but the password history is only for generated passwords. And they ONLY last for a day. Proton deletes the password history after a day. I don’t understand why they would do this.
These three are so important for my workflow that I can’t use it.
Other disadvantages albeit a minor issue to me:
No offline access to vault
No desktop app
No web app (only available as a browser extension)
No tags
It is also 20% more expensive than Bitwarden and that’s for the discounted price ($12 for Proton Pass vs $10 for Bitwarden). They plan on charging $5/month ($60/year) for this service which is more than 5 times the price of Bitwarden when it has less features! I would’ve been fine with it if at least their service was 2 times better but it isn’t. What a joke of a service.
The only thing it has going for it is the better UI and the email alias feature but really, there’s nothing stopping you from using email alias services and putting the generated email in your already existing password manager.
I don’t recommend listing this product… at least not yet. Probably best to wait 6 months to a year.
price for Pass Plus is now $1.99/m instead of $3.99/m
item pinning/bookmarking
edit/move/remove items in bulk
sharing suggestion: useful for family or business
offline mode for mobile
item history: you can restore old versions of any item. Available now on iOS and in coming weeks on android & web.
Coming soon:
desktop apps, start with windows, then Mac & Linux
passkeys
offline mode for desktop & web
data breach monitoring
Sync with SimpleLogin
Identity autofill
As with any product in Proton, Pass is fully financed by users subscriptions. That pushes us to actively listen to your feedbacks (and not VC investors) and implement them as soon as we can. So far we have been able to implement the top feature requests on Proton Pass: Hot (387 ideas) – The Voice of the Proton Community
I haven’t seen an official statement anywhere, but I believe also my concern about the vault limitation has been solved. I can create a lot more vaults at least for now, not sure what is the current limitation if any exists.
Furthermore, I have been using pass lately a lot to manage new aliases and already sort them in the correct vaults. I would actually like to give some advice on that but not sure in what form yet. Something in the lines of keep a segmentation between importance of accounts, so you know where to act first when shit hits the fan… but more on that later.
Now I was wondering how will SimpleLogin migrate the existing aliases given I have a quite unman gable amount. Will they all just be dropped in the default vault? That would be a sorting… and I would like to be able to in advance move the other stuff elsewhere to keep things manageable. Best case would be, and I hope you pass this along @Son, to import/sync them to a separate vault, so people can start sorting from there.
