Personally, I’ll be happy to try protonpass the day security keys work on all platforms, and TOTP can be removed.
This is the feature I miss the most on proton today, and especially on protonpass since competitors already support security key on mobile.
Can you explain why you use Bcrypt to encrypt the user key when it is not meant to be used like that, as it isn’t a KDF but a password hashing function? There are better options available, such as Argon2.
I moved to proton pass couple of months ago after using bitwarden for years, and I’m much more happy with the ux on web and android. Bitwarden was really painful to use. Automatic aliases is a killer feature for me too, and I’d be happy to see proton pass on PG (but don’t particulary care if they won’t). The only thing I’m not happy with is they don’t provide an f-droid build which is true for all their apps and I honestly hate it.
The common concern amont people is putting all eggs in one basket but personally I find it unconvincing as getting access to your password manager means getting access to everything anyway.
From my understanding they use bcrypt to derive a key for to encrypt the user key using a symmetric cipher (possibly stretching it, given bcrypt is a password based kdf) so it’s used as designed. Bcrypt is also good enough (and much better than pbkdf2 used by bitwarden by default). Although argon2id is even better, depending on parameters it may be weaker than brcrypt, it also requires wasm to have acceptable derivation speed with good parameters which adds another attack vector (and is disabled in tor/mullvad browser and vanadium)
+1 on the ux bit.
Proton Pass was an easy decision for me purely based on the ux/ui improvements over Bitwarden, and that’s coming from a non-Proton Unlimited subscriber, ie I’m willing to pay for it on its own.
I’m a strong believer in privacy not feeling like a chore or compromise, and Proton Pass finally brings password management up to a level where I feel that’s true for me here.
Once syncing from SL is implemented, it will also cut out my displeasure with using SL on mobile since I’ll just use Pass to manage it all, which effectively kills two birds with one stone for me.
I agree. Fido paywall is horrible idea. But it is open source so it is trustworthy enough. People should have choice.
It should be delisted.
Article (official)
This is not paywalled anymore.
1Password already made a statement regarding to Okta breach. No customer data was compramised.
Also, they are not open-source but they have regular security audits from reputable vendors.
There is also a discussion in Reddit about this, and bried explanation on 1P forums.
https://www.reddit.com/r/1Password/comments/xks8ko/honest_question_why_isnt_1password_open_sourced/
And, no. They shouldn’t be removed from the PG Recommendations.
As for Proton Pass, it still needs improvement. For me Windows desktop app is the most important part, then sharing logins with others, ability to select multiple items (not one by one clicking), more default categories and templates, ability to import custom fields and files from other password managers, like the software licenses, notes or attached files.
I won’t use a browser only password manager.
It is free now 
All proprietary software should be delisted or have huge warning labels that it is proprietary.
Oh you wrote before me 
Some details might change in the final implementation but basically we’re going to ask you to choose the vault in Pass where you want missing aliases, i.e. aliases that are on SL but not on Pass, to be synced to. After that, missing aliases will be automatically synced to this vault.
Supporting for F-droid is in our todo list, I hope that it’ll be available in the coming weeks.
Vault sharing is now available.
Other requests are already listed on our feaure request forum on
Proton Pass: Hot (661 ideas) – The Voice of the Proton Community , please feel free to upvote the ones you want to see coming so we can prioritize our todo list. We try to deliver as many features as we can but our team is relatively small compared to VC funded companies like 1password and the others.
I don’t want to share whole vault but only several logins with outsiders.
Above were my suggestions because these features are already available in other password managers, and to be honest, I prefer to pay only one provider instead of many. If you can improve Proton Pass to the level of 1Password, I will gladly cancel my 1Pass subscription.
Edit. How many votes will be enough for a feature to be implemented, and how long will it take to implement? For example Bitwarden’s most wanted feature, autofill overlay took like 5 years to get implemented.
That sounds encouraging, thanks! I just hope “coming weeks” really mean coming weeks and not “coming weeks valve proton time”
Just to confirm, once aliases are migrated to a vault, they won’t require a premium SL subscription to remain activated? As a non-Unlimited subscriber I would have to pay for SimpleLogin and Pass separately, so it would be a shame if aliases were disabled for using SL domains (e.g. @slmail.me) without that subscription anymore.
i didn’t read the whole Topic, i just want to say one thing about Proton:
They closed my account without prior notice under the pretext of “anti-abuse” and i sent (many tickets and DMs in twitter) but nothing. i can never access my data again. i had a lot of important information, passwords and files in Proton that had a direct impact on my life and i don’t have the password of many platforms anymore.
my whole point is that if you have very important information, do not use Proton, because your account may be closed without prior notice and for any excuse, and you will never be able to access your information.
just check what i said on reddit and you will see how many people have the same problem as me. i am sure bitwarden will never do this with your life.
We rather look at the order of requests in terms of votes and not really the number of votes per se. About the ETA, this depends on the complexity of the feature. For info the features mentioned in Proton Pass (Password manager) - #84 by Son took us a couple of months to deliver.
once aliases are migrated to a vault, they won’t require a premium SL subscription to remain activated?
Aliases in SL remain active even after downgrade.
Please note that Pass Plus includes unlimited aliases but doesn’t include custom domains and other advanced features in SL.
This doesn’t sound right, can you send me the number of customer support tickets that you have created so I can maybe take a look? An account can only be disabled if it violates the Proton terms and condition. Although the detection isn’t perfect and can sometimes be wrong, it will be reverted quickly after human verification. All services I know of have anti abuse system.
Sir i have been sending the ticket number to Proton staff for 2 years, but nothing.
Proton support told me on twitter that he can’t continue this conversation because of “security risks”!
do you have any idea how much this hurts me? that i can’t access my files that are very important to me?
i mean what is the worst thing a person can do with a account?
if a person has done the worst possible thing, he should receive at least one warning. either disable the account for 24 hours or one week not forever!
Proton didn’t even give me 24 hours to move my information from my account.
that’s not really what i expect from a privacy-oriented provider.