There is one thing that holding me back from buying a subscription from Proton mail / Proton Pass etc.. is the way they handle the security with the Password manager and the mail. Why in the world the password manager is using the same password as the mail ? I hate their “put all your eggs in one basket” architecture it doesn’t make any sense at all.
So instead of making our life easier they making our lifes more harder now we have to remember two password instead of just one it doesn’t make any sense.. the pass should have it’s own password.
What happen if a hacker or agencies find a way to see the password typed in proton pass ? They will gain access to our mail , our entire private life and i’m not ok with this.
What are your thoughts on this subject ? And how do you handle this problem ? Are you guys using the additional password ?
Please don’t tell me “You can still use Bitwarden” or other services that’s not the problem here.
You should be using multi factor authentication regardless.
Its ridiculous Proton does not allow you to have separate passwords for each of their services.
I also think this community tends to be a bit dramatic about the risks of “‘put all your eggs in one basket’ architecture”. If you are following standard security practices with the password you are using and have strong MFA (ie passkeys, hardware tokens, TOTP) for your master password and services you use, the risk is much smaller then what people make it out to be, for most threat models.
High threat model or not, it’s not normal for the password for the password manager, mail, drive, VPN etc. to be the same. It’s absolute nonsense; they should be separate.
And just saying to use 2FA is not a solution and solves nothing.
I agree, if you had read my response you would of seen I called it ridiculous.
It protects your account from being logged into in the event a hacker has seen your password, which is the scenario you laid out that I was responding to.
The additional password and 2FA code should be sufficient in the majority of cases. What concerns me is that proton will let you recover your email address by providing “proof” a hacker/agency could easily find if dedicated. Tutanota doesn’t allow this. Gmail used to but they no longer do it either. Why isn’t proton following basic security measures.
Why we should be okay with the additional password ? Why not just create a separate password ? I’d like to know the reason for not using a seperate password just give me one.
I wasn’t aware of this huge security issue. This is so crazy.. it’s really sad they have nice UI in their apps but a terrible security system