I’m curious to know how free plan users are using Proton Pass. With Paid plan as far as I know they get a separate Mail ID/Username but for free users that’s not the case.
So if my Proton account ever gets compromised, the hackers could now access all my Passwords and thus gain access to each and every account of mine, that sure doesn’t sound right (considering none of them have 2FA - which I do have but this is just for the sake of example).
I prefer to just have to worry about protecting 1 account instead of 2, but the request on User Voice is under review so there is that. The Proton Pass pin also logs out after 3 failed attempts.
Having said that, I am a subscriber with Proton Sentinel enabled (which gives additional security etc…)
I have seen this request before. But can you explain the use case? I am not really seeing any benefits
Proton Pass has matured into a compelling product that probably should be recommended on Privacy Guides.
It’s reasonable to recommend as a password manager: The Best Password Managers to Protect Your Privacy and Security - Privacy Guides
It’s also reasonable to recommend as an email alias service: Encrypted Private Email Recommendations - Privacy Guides
A user can get unlimited aliases with Proton Pass Plus for $4.99/mo or $24/yr, or they can get unlimited aliases with Proton Unlimited (includes email, VPN, etc). A paid plan is required for TOTP (edit: unrestricted TOTP). SimpleLogin costs $30/yr.
That’s not true. You have 3 free TOTP.
Yeah but that’s not nearly enough, is it?
What does it bring new compared to other password manager ?
Also, it has significant security issues on the client side.
The Desktop App do not ask for a password or pin (by default) after first login. At the very least, a pin should be asked every session.
(A leak of your proton password will allow acess to not only your mail but also all your password and therefore your accounts. Although anyone with your mail can reset your passwords anyway.)
Can it be considered cross-platform ? Does it have a Linux app?
If we do recommend it, it should be cautionned that you should use a different account than for your Proton Mail account.
Hi, I saw you guys are working on making Proton Pass available on F-Droid. Could you guys go the reproducible build route? By default, F-Droid apps are built and signed by the F-Droid team, which requires a lot of trust, and a lot of people aren’t happy with this, even though F-Droid has a perfect track record.
Reproducible builds are signed by the developers and not the F-Droid team, which eliminates the need to trust the F-Droid team.
I believe that this is especially important for a password manager.
I think the concerns we had have been addressed now, anyone not ok with me marking this as approved?
I’m working on a PR right now 
Edit: Done!
Hey guys and gals, just wanted to give you all a warning about an experience I’ve been struggling with for the past 2 weeks.
TL;DR: DO NOT USE PASS AS YOUR PROTON 2FA
This may be obvious to some folk, but I have been locked out from my account now for 2 weeks. All my 2FA for important accounts were in my pass so I’m sure everything is getting compromised while I sit locked out of my email, password manager, and my sanity.
Worst part is I had emailed proton immediately when my phone started acting funny. I didn’t change my password because I was worried that the biometrics was the only thing letting me sign in. I changed passwords within pass but the logs looked like it was all being viewed by the hacker anyways.
Well, after begging support to call or text me, it took a week before they shut down my account for security concerns. They then asked me to provide an insane amount of information to confirm it was me. Who I emailed recently, accounts and programs I used to sign in recently and my purchase date, amount and information. Luckily I used PayPal qne was able to find it from 2 years ago. When they respond, it’s been at 2-4am and it’s telling me more more more. I gave them everything they asked for and they have ghosted me for days now.
I literally gave you all the details and I even have the yubikey used for the account. That should be proof enough and I honestly have no idea how they even circumvented the yubikey?
I’m literally so disappointed with the quality of customer support from you guys and I am a premium subscriber for years. I practiced impeccable password hygiene with your app, making aliases for all accounts and strong passwords with 2FA. I didn’t store my password anywhere for my proton account, it’s in my head and password book. I could have been socially engineered but sentinel should have blocked my account and handled it when I reached out, not after a week and then longer because I still haven’t heard back.
If you claim to be all about security but don’t respond to security emergencies with any urgency then idk why I’m paying for your service. You don’t have any phone support which is insane to me. I understand my $200 helps pay for others, but I need help for me!
I am completely lost right now as my reliance on alias and strong passwords have all been placed on pass and now I know nothing. I can’t change passwords because I don’t know the email alias I used or the 2FA code.
Please please please let me back in with my security key which should be the cherry on top of the excessive information you already had me give you, 4 days ago.
How did they circumvent the yubikey anyways?
Please help me
I’ve been silently reading this thread for many months and this is very concerning because it’s the second time someone reported this.
Did you contact the proton team ? Do you have any tickets numbers or case numbers ?
Did you use this form ? Abuse appeals form | Proton
@Son Can you please check what’s wrong with their account ? They said they have their yubikey and all payments infos used 2 years ago.
I personally have all my passwords stored in protonpass and this makes me very scared, if I lose access to my protonpass account I’ll also lose access to everything else.
This is a good reminder for everyone to have backups.
I believe even if your access to the account is restored you would not be able to decrypt previous emails, calendars, passwords, etc without your decryption key.
Does anyone know if the 2 password setup would have prevented an attacker from accessing both email and pass?
@Fibonacci , if this is a concern for you it could be remedied by keeping your proton credentials outside of Proton Pass which I’m sure many would advise regardless.
I started having periodic backups of my protonpass account. I store them encrypted on my laptop.
@Tootieman still have their yubikey, so I guess they still can decrypt their data with it ?
If support allows them back in, the recovery step would need to be performed. I wouldn’t expect the Yubikey would be sufficient unless the account password had been saved as the Yubikey’s static password (unlikely given the poster’s scenario).
My understanding is neither TOTP nor FIDO2 is used to encrypt the data on the account. Authentication only. Someone correct me if I’m wrong.
Step 2. Data recovery: Recover your emails and other encrypted files using one of the following two options:
I think @Tootieman has the correct password but don’t have 2FA which is stored in his proton pass. @Tootieman correct me if I’m wrong.
If support makes sure he’s the real owner of the account, they technically can disable 2FA and let him access and decrypt his data with his password, right ?
Now how support can make sure @Tootieman is the real owner ?
Apparently he has the yubikey, the password, payments info and maybe he can provide id for verification. Would that be sufficient ?
The tldr should be: have backups…
I actually have all my info, recovery keys for 2FA, my 12 digit recovery code, my yubikey, I just can’t get anyone from proton to unlock my account to access and start changing everything.
Problem is the alias’s while amazing at the time now makes me unable to do anything for accounts I need to change. Everything is in a password book after last hack I just want them to unlock it or tell me how my yubikey was circumvented or if my passwords have been exported
@Tootieman You don’t have any backups of your database inside Proton?
