Do you use an extra password for Proton Pass?

By default, your Proton Pass password is your Proton account password. Meaning that if a bad actor is able to log into your Proton Mail account, they can log into your Proton Pass account. This is a huge security risk considering all the sensitive information you store in Proton Pass.

For that reason, Proton has implemented the option to add a second password to Proton Pass.

1) Do any of you use this feature?

a) If not, why not?

b) If yes, how do you feel about having to remember 2 passwords?

To me, it feels impractical. Although I have a Proton Pass account, I only use it for managing my aliases, so I have not added a second password for that reason. I still use 1Password as my default password manager, and the only password I have memorized is the passphrase (master password) for my 1Password account. I cannot imagine having to learn a second passphrase. It’s not feasible for me.

THE SITUATION:

I am currently helping someone set up their Proton Pass Plus account on a new device. They also have a Proton Mail account linked to the same Proton account, that they do not use. For now, I don’t think it’s necessary to add a 2nd password for them because they don’t use Proton Mail. But if they did use Proton Mail, it would be too hard for them to remember 2 passwords, as it is for me too.

One of the core selling points of many password managers is that you only have to remember one password, and that’s it. I have been living by that rule for years. In my opinion, it’s a great rule.

PROTON SHOULD ALLOW CHANGING YOUR ACCOUNT ADDRESS

This is why I think Proton should allow you to change the email address linked to your Proton Pass account. The current way it works now is that when you sign up to Proton Pass, supposing you don’t have a Proton account yet, you can use any email provider to manage your account.

That means you can use a Gmail or Tuta address to log into Proton Pass. If you wish to change that later on, you can.

The Problem

However, once you link your Proton Pass account to a Proton address, they can never be unlinked. I don’t think this is good from a security and practical standpoint.

Not only does it force you to always use a Proton address even though Proton may not be your preferred email provider, but it also creates a situation where all your online accounts are at higher risk if you use a single password. It’s that or create a second password, which for most people would be hard to remember.

Needing 2 passwords is not a bad idea…

Back when Proton Mail started out, by default, you needed 2 passwords to log into your account. I was comfortable with this setting for a long time. I don’t remember if Proton had 2FA at the time, but needing 2 passwords was not a problem for me because I used a password manager and didn’t have to remember either of those passwords.

…but not ideal for a password manager that’s permanently tied to other accounts.

Proton Mail was the only service Proton offered back then. Now they have a full suite, and the situation they created with Proton Pass makes things complicated. I am sure there are some people whose primary email address is a Proton address, and you use Proton Pass with the same account, You may not want that to change, which is fair, but you’re still in this complicated situation.

BONUS QUESTIONS:

2) Regardless of what your password manager is, do you use a unique email address for it?
In other words, an address that you don’t use for anything else.

3) Do you save your Proton Pass password in Proton Pass?

I do not use Proton in any way (using a trustworthy local provider). But I use a password manager and so I can share my point of view, especially for your question 2. I also can give an general advice about protecting email accounts unrelated to Proton.

Never ever I would trust my passwords anything that requires an email address to use it. What do you do if the service is not available for some reason? I use KeepassXC (which is not available for smartphones I think, but running Linux on phone makes it perfect in my specific case). The vault-file is saved locally on my PC and to decrypt it I only need to select it and type in a password, which should be very strong.
I sync data between phone and PC manually over the home network. I do not create new entries every day, so doing sync manually doesn’t cost much time (just sending and replacing or merging the file).

With password manager I do not see any reason not to take separate passwords. If you password is leaked, it is leaked for both, if you use a single one. If you use separate passwords and your password for your email is leaked → bad for you. But the other way around you protected your email, which also protects many other services that are connected to this address (you know, password forgotten requests of other services). The email address itself should always have a unique password, if it is not used for trash-accounts.

Although I would never take the route that you did to protect my password for various reasons, I 100% respect and understand why you went that way. I know that @Henry also used KeepPass for a very long time before moving to Proton Pass. Although it adds a layer of risk for me, cloud sync is an important feature, and as well as UI & UX. KeepPassXC doesn’t meet what I’m looking for in these areas, but I understand why some people opt for it.

1. Do any of you use this feature?
   No.

  a) If not, why not?
     Using 2FA

3. Do you save your Proton Pass password in Proton Pass?
   Yes.

Out of curiosity, why do you do this?

I have Proton Pass for life. I find single sign-on (SSO) completely absurd. I use Bitwarden

I don’t do this, but I think they do it because it’s a measure against:

• Forgetfulness.

Example: if you forget 1 word of your ~25 character passphrase, you can still log into Proton Pass on Android or iOS using a fingerprint authentication, and refresh your memory.

The security of a vault isn’t degraded when one puts the keys inside. You have to assume the vault is compromised in that scenario. At that point it doesn’t matter if the keys are inside.

When I think about it like this, it makes sense to me, but I don’t know if you agree. To me, there is no in-between: it’s either compromised or it isn’t.

Is it that easy to steal Proton Pass? Fingerprints are one of the most insecure ways to protect something, especially if there is no other factor needed.

Respectfully, I’d like it if you were more nuanced in your opinion. What is seen as bad and wrong some, is perfectly fine for someone else. There is always a spectrum. A healthy mindset is treating security is a means to and end, not as the destination itself. You can use fingerprint authentication if it gets your threat model needs covered.

As a straight-on defense, these are some things that might curb your skepticism:

• Fingerprint authentication is an opt-in feature. So what you’re saying doesn’t make any sense for people who didn’t opt-in.
• You already said this part: “especially if no other factor is needed”. I think most of us here use 2FA on their Proton login because it fits the threat model of the average person interested in using Proton.

Oh I actually do do this (I thought I didn’t). It reminded me of the second benefit:

• Convenient Proton Mail login. Since I’ve been using Proton Pass extension, I always clear cookies on browser exit (it fits my needs). And having the Proton login credentials in Proton Pass really speeds up the process of logging in to check my mail on desktop.

I am very nuanced, you just don’t get it. I don’t use that tool, so I ask questions to understand what’s going on.

If fingerprints are always an additional part, that’s kinda okayish. It is not even a real second factor, because it is too easy to steal and you cannot change it (similar to the DNA test on the other thread). But at least okayish. I still would not recommend it on any situation.

The thing is, as more we’re using biometrics as security token, as more it becomes a value to get abused. And this becomes also a danger for people who’re not using fingerprints for such things. Let’s say everyone uses it, how easy it would be for a restaurant to catch your fingerprints and match them with your name they get by paying with any bank card? People buy a lot of money for such information (data bases with many datas) on internet. How easy is it to get it from phone itself? One time uploaded, compromised for the whole life. Even for people who don’t use it right now, once their fingerprints are uploaded, it cannot be used any time longer in future such things. In fact it is as secure as super easy passwords, just that passwords can be changed at any time.

And again, I made a question. I do not know what features are opt-in of software I do not use or if opt-in means it’s the only thing you have and just wanted to know this, because that was very much what I was reading out of your text without additional context. So maybe you should be more nuanced when speaking about people you don’t know/understand.

The reason I asked is because I use 1Password as my password manager, and by default, 1Password stores all your 1Password credentials in the app, including your security key. I thought it was weird and didn’t get the purpose. I also worry that if someone was in my home while the app was open on my desktop, they could steal my credentials. That said, I haven’t removed it, and if I’m honest, I’m not sure that it can be removed with 1Password as it’s the default setting.

In regard to using your biometrics to remember your password, that won’t always work. With most password managers, even if you have biometric authentication enabled, they will ask you for your password at least once a month, if not twice. But I get that it’s still useful.

Curious what you think of banks increasingly requiring biometrics, more specifically face rec.
Before, using biometrics with your banking app was optional, and when you did use it, it would authenticate you with the biometrics that you have to save on your phone. This means that banks didn’t actually have a record of your biometric. However now, I am noticing that banks are no longer satisfied with using the biometrics saved by your phone’s manufacturer, they want to have their own record of it.

Just recently I installed my banking app on a new phone, and I was surprised that they had asked to scan my face. This surprised me because I have never used facial rec to unlock my phone, only fingerprint, but my bank wanted to actually record me and scan my face. When I went to the bank to complain, they told me I had no choice but to comply.

That is a really bad thing in my opinion and I’m more than just happy that I don’t need to care (for now). Luckily I can even do online banking without any app (physical TAN generator for 2FA). I know it becomes worse, especially in other countries, but I hope GDPR in EU will be a shield against it, because it rates biometric data as highly protectable data (wording is maybe different) and so I think it is possible to force banks to use other authentication methods inside Europe. But who knows what the future brings.

The systems are highly insecure. Often a simple photo is enough to make the system thinking that is a real or even specific person. There are even people using game characters to create accounts. You can take bad cameras to make it easier to hack the system. What comes next? Maybe you have to film yourself in 180° to make sure that it is not just a photo. Hackers will collect photos from people from the internet, merge them via KI together into a 3D model or something and make a virtual movement on display. And if you do not upload your photos to the internet public, you don’t know what cameras shot a picture around you. Smartphones of strangers, Tesla cars, security cameras, …
There is always a way to hack these systems, but the real danger is for the real users like us.

Here is also the same, as more people using these systems as more valuable they become for bad actors and you never change your face (with very few exceptions), so once your data is in wrong hands, your face never becomes a secure token again. Same with other biometrics as eyes or voices. And even worse, once more companies start to collect such data, it is like using the same password everywhere and after it got stolen, you cannot change it (at least not easily).

I usually agree that we first need a “thread model to choose our needs”, but in case of biometrics I would refuse it, no matter of the specific thread model. If you have no choice as described with bank requirements (especially without alternative banks), well … nobody can blame you for using it. The life becomes hard without a bank account and I probably would also have to “accept” it.

Okay so I’m curious, have you considered that if the standalone app was open on your desktop (unlocked), the intruder can steal any password anyway, not just your master password/security key. I consider that a full compromise, far past the point of considering defense strategies. Might as well stop worrying now that you know this isn’t something that will make a difference.

Personally have not experienced this with Proton Pass Android in several months. I think it only happened once when my fingerprint reader was dirty and it failed a couple of times.

That surprises me because it’s standard security for all smartphones and password manager apps.

Yes, but if someone steals my password manager’s credentials, it’s a bigger deal than if they steal my default email or even my bank credentials. With the former they have access to everything, with the latter they only have access to one thing (for email). All of my banks require 2FA via their app when I try to make a transaction on the web.

That is surprising. From my experience, it is practically impossible to do any online banking via web today without needing the bank’s app as 2FA verification. In other words, it’s practically impossible to do any online banking via web without needing a smartphone.

I hope you are right, but I am not confident. If the only way to do banking without being spied on is by physically going to the bank or the ATM every time, it’s not a very pragmatic solution. I hope people sue. I intend to report my bank to my local data protection agency, but I suspect they’ll tell me there’s nothing I can do.

I tell you what comes next. Recording a video of yourself repeating random words that appear on-screen. This system is already in place with some European banks. You can’t fake it with AI either, because you’re given a short amount of time, maybe 30 seconds, and the words will only appear once you press start.

That highly depends on your country (and I don’t know if there is really no way for you or you just don’t know the one alternative you have). With smartphone only I would not be able to do any kind of online banking, because I do not own a smartphone. I told it my bank and they said “you can buy a TAN generator”, which cost me 25€ one time. From friends I knew they payed half the price, because they had no camera in it to capture QR code (which I would have preferred, but was not an older device ). Anyway, the good thing is, it is not only more private, but also more secure and gives freedom to use any device to make online-banking (usually phone is a not possible without compromising 2FA).

Reporting costs nothing to you. At least you can try. At this specific case it is maybe a good thing to read GDPR related parts of why the bank may can use such data and why they should also give alternative methods for data minimalism. It is maybe a good idea to speak with data protection NGOs in first place to get some hints.

Companies have a valid interest to use some data, but I think in this case it goes beyond that. I’m no lawyer, so I could be wrong, but that is how I would rate it for now (NGOs can give better answers).

I’m pretty sure the “short time” will be countered by AI reading the screen for those words etc. Really, both sides will use stronger weapons over time. I saw it so often on other “battlefields”. It just becomes worse for normal people (including us).