TL, DR: Don’t be like me. Refrain from putting all of your eggs in one basket.
Guys, I am seriously pissed off right now.
About twenty minutes after updating to the latest version of Proton Pass on F-Droid, I was logged out of my account. Not just the mobile client, but the Proton Pass extension on my computer as well.
The logout seems to be specific to Proton Pass clients, but that just barely counts as a positive.
So I’ve effectively been locked out of everything.
The Joplin profile I use for seeds and recovery codes is encrypted. Same with the profile I use for my mental health/dream journals. I have about four encrypted GoCrypt volumes I now can’t get into.
What’s worse is I can’t just install a second password manager and try to reset account passwords via email because all of my accounts have 2FA enabled and utilize Proton aliases.
I tried to get support from customer service, but the best they could do was recommend ‘signed-in reset’ which only works on web clients, and—again—I was logged out of the only active instance on my computer.
It’s mostly my fault, because even though I’ve never been signed out of the mobile client after an update (much less the Firefox extension), I was fully aware of Proton’s warning against saving Proton credentials in Proton Pass.
That’s a nightmare come true for every digital security savvy person.
I guess there’s no point in saying that this could’ve been avoided in so many different ways and you have managed to drive into a single power pole on the whole field.
That’s very odd of Proton to log you out from everywhere just like that. Did you manage to find out why they did?
Everyone, for the love of god, please, do not encrypt your password manager’s database (or other means of getting into it) with a password that you don’t know or don’t have a reliable backup of at hand.
I’m sorry to hear you are going through this. Its very stressful, my only advice is to try to approach calmly and methodically and consider all options, there may or may not be cracks you can use as pivot points to regain at least partial access to Proton, or some of your other important accounts, or at least minimize the damage.
I nearly got myself into a circular trap like this a while ago when I was robbed. I was able to (mostly) claw my way back out of it, but only barely and partially due to luck, and after weeks of being locked out of everything, there are about a dozen accounts I still can’t access (due to 2fa).
As you rebuild your digital life, be very mindful of your current experience, and try to use it as a learning experience to improve your backup and redundancy strategy. I went with 3 hardware keys (one on me, one backup nearby and a second backup a 100+ kilometers away) + another weaker form of 2FA as a backup.
Fortunately, I was able to regain access to the important accounts (Utilities, Rent Portal, Student Loan Servicer, Phone Carrier, etc.) because I keep the email receipts after making payments.
Got a few aliases from the sender/recipient details… Since I’m only logged out of the password manager, password reset requests still forward to my main inbox. Also, I was fortunate enough to be using Aegis for the accounts that offer TOTP 2FA.
I can only assume it was a bug triggered by the update. If it was actually Proton, I’d probably have been logged out of the Calendar, Drive, Proton VPN, and Proton Mail clients as well.
I think Proton did warn against doing this for this reason, it’s unfortunate this happened, to paint this in a more positive way this is a good learning experience.
Proton has device based recovery now so if you enabled that you might have a way to get back in.
Did you write down the recovery code for your account? If you have that you can reset your password and retain data.
My main desktop browser is set up to forget on exit, but the extension always kept me logged in, locking itself behind a pin.
Beyond that one extension, I wasn’t logged into Proton on my computer.
The problem, I feel, is that I only partially committed my account password to memory.
That, and Proton’s weird response to my situation.
They responded almost immediately after my initial report. I typically defer to the mobile apps, so their suggestion of a ‘signed-in reset’ was never a viable option. Nor is ‘device-based recovery’… And recovery codes/TOTPs aren’t an option either because the ‘forgot password’ option on the login page asks not for a token or a code, but a twelve word recovery phrase that I have no recollection of ever setting up.
I’ve sent three follow up emails—the most recent asking if anyone was working on a solution to my issue—to customer service at Proton, with no further reply.
It does nag you a bit to set it up so I’d have a look around to see if you did save it or write it down somewhere. See if you can remember your password, sometimes it’s a good idea to sleep on these things perhaps it will come to you tomorrow.
Because of the end to end encryption that Proton uses there is no way to get your account data back without either your password or the recovery code. Your account data is encrypted with your password, without that your data is encrypted and impossible to decrypt. Support won’t be able to help you in this case unfortunately.
Probably the worst thing that can happen in the digital world short of actual crime. It’s probably my biggest fear with a password manager, which leads me to keep monthly backups of my keepass database somewhere else. Thankfully, these are passwords I know by heart, so not really an issue.
What I usually do is write a passphrase down on the back of a business card (for whoever I recommend a password manager to) and make them use that to access their password manager. Usually, within a week they know this password by heart.
I’ve been told it’s important to not know your passwords and to use a generator, but a recent Proton blog post introduced me to the Xorbin SHA1 Hash calculator. So I’ve been using a combination of remembered strong password(s)/memorable phrases and an ammendment rule inspired by Go Incognito 3.4.
Would this not mean that someone who knows one of your passwords would be able to get access to the others?
I’m not sure I understand what it is you’re doing. Are you making it so that you store the SHA-1 hash of your master password and your account password?
As in, if my master password was f0ob@r, and I was making a Google account,
would I have my google account password as
Thats one way, I suppose, but the calculator seems to work with spaces and other special characters.
I’m not in the habit of sharing passwords to accounts I own with anyone, so outside of my password manager, only I would know it.
And the ammendment itself could be anything relevant to the account. I just used ‘Lemmy Instance’ as an example. Could be the domain, the site title, the number of people I follow, the developer, a random word or nickname I think of (i.e. twitter= bird app). Literally anything.
The ammendment, by itself, is what goes into the password field of my manager.
That way, I don’t need to know the actual password of the account, I just need to remember the master password and use my password manager to retrieve the ammendment.
The combination of these two things should result in a never changing hash.
This is just a method I am testing out (for now) since I am working with limited access to the accounts I own.
I’ve accurately answered all of their questions and given my ‘case worker’ the recovery email for them to set up, but they have been remarkably slow to get back to me.
When everything is set up, I’m hoping to just use the recovery email to reset my password and login with no data loss.
Either way, I won’t just rely on Proton Pass moving forward.
Aegis has a ‘notes’ field when setting up or editing an entry; maybe, I’ll use that for recovery codes instead of an encrypted Joplin backup.
I completely get it. However, I can’t say I don’t find myself annoyed from time to time. I’ve lost access to large portions of my digital life due to a random bug…
When you get everything sorted out, you may consider exporting the database to a CSV file. That way you can print the file out and have a physical copy of everything. Also, the CSV file can usually be imported into a new app saving you hours of doing it by hand. Obviously keep all those in a very secure place. Be sure to create a new CSV file periodically to reflect new entries.
I believe you can export your 2FA seeds in a lot of 2FA apps. Might do that as well and keep it secured with your CSV file. Those exported seeds can usually be imported into most 2FA apps as well.
As a user of Keepass I am having difficulty with the recommendation of exporting to CSV and then worrying about safety and security of the resulting file and/or print out.
That is a fair amount of extra effort with its own security risks. The print out strikes me as being just short of useless: My passwords are all long random strings generated by my password manager and I can’t even successfully type them in with less than a few tries. And the important accounts also have TOTP setup so there would have to be accurate typing for that too. Trying to recover more than a couple of accounts by typing in those long random passwords and TOTP recovers information would be so difficult as to send me off to try some other method.
I share my Keepass file between my devices using my NextCloud server so at a minimum a current copy is present on my laptop, my NextCloud server, and my phone. My laptop is backed up each hour with encrypted backups to my local NAS. In addition, I do a monthly copy to a hidden and encrypted partition on a USB drive I keep on keyring that holds my house and car keys so it is always with me and the file is also written to a USB drive kept in a fireproof box. It seems exceedingly unlikely that I will lose access to all of them at the same time. The sharing between devices and laptop backup are automatic so no effort there. The monthly backup is via a script and only takes a minute or so to do. So the ongoing effort to keep things backed up is minimal.
Advantages of local encrypted password file like Keepass include, at least in the more recent versions of the various apps that support that file format is that they support TOTP in addition to passwords, so backing up my passwords also backs up the TOTP information. Using a cloud service to keep current copies on your various devices is pretty easy. I use my own server but since the password file is encrypted the risk of using a cloud service not under your own control is probably okay for many threat models, at least if you use a long enough pass phrase for your password.
One more thing to think about is succession planning. All my financial accounts can really only be accessed using the information stored in Keepass. In addition to passwords and TOTP codes, I use different random made up answers to the security questions that some sites require. I have to lookup the answers in Keepass to those idiotic question myself. So, near as I can set things up, even I can’t social engineer my way into my accounts.
If something happens to me the executor of my estate will have a much easier job if they can get access to a copy of that file. In my case the executor lives in a different state, so I made a QR code with the Keepass password, sliced it in half. Verified that neither half of the QR code would work by itself but by placing them together would still work. One half was mailed to the executor, the other half is under my control but the executor has been informed about where they can find it if I pass away. I haven’t seen too much on how one should deal with secure passwords and succession planning, so maybe my method is not as good as it should be. But you should think about how your setup will deal with it.
I’m not sure about Proton Pass, but some password managers keep a local encrypted cache of the password vault. If you set your device in airplane mode (no network access) and login you may be able to export your vault.
While no help for you if you can’t get back in, you should always have a usable off-line backup. I use Bitwarden and can directly import a Bitwarden .json file into KeepassXC so I have a ready-to-use backup. With Proton Pass you’d have to export to .CSV then import that (perhaps with some manipulation) into KeepassXC. I prefer KeepassXC because it can run on all my devices and has built-in support for TOTP. Just beware that not all data in your vault will be imported (particularly attachments and passkeys).
I was only suggesting a CSV file backup because it can be imported into most any password manager. If I would have a catastrophic electronic failure, I’d be relieved to at least have a print-out of my logins and passwords. Obviously both items would need to be secured.
