Proton Mail's new product is a secure password manager
Let's hope the service doesn't turn into another LastPass-style security disasterBy Alfonso Maruccia
In context: Proton AG is better known for its secure mail service Proton Mail, but the company is now offering more security-related services such as a VPN and cloud storage. The Geneva, Switzerland-based organization is working on a new product, which should provide users a secure space to store passwords and other sensible text snippets.
The Proton Mail company is expanding its product offerings with a new password manager: Proton Pass will soon be available in beta form to paying subscribers, while the final release should also provide a free tier to non-subscribing users, like other Proton services (Mail, Drive, VPN, Calendar).
According to Proton CEO and founder Andy Yen, a secure password manager has been one of the most common requests coming from the community since Proton Mail's launch. Proton Pass will follow the company's traditional "zero knowledge" approach to security by using end-to-end encryption to protect login credentials and everything else.
Proton Pass was programmed by the developers at SimpleLogin, a company offering an anonymous email service that Proton AG acquired over a year ago. SimpleLogin and Proton shared a common interest toward solving the issue of making logins "more secure, more private, and easier" to use, Yen said.
Proton's founder said that passwords have become such sensitive information that an insecure password manager could become a risk to the entire Proton community. A data breach could provide an attacker with everything they need to bypass all of Proton Mail's advanced encryption, Yen said. Therefore, protecting user passwords in a proper way requires a high level of competence with encryption and security that "few organizations have."
Proton's CEO highlighted how the risk posed by a major password manager breach became a harsh reality with the infamous LastPass incident, where hackers were able to steal and compromise encrypted user data by stealing credentials from a senior engineer working for the company. Back then, the end-to-end encryption promise made by LastPass turned out to be empty words.
Proton Pass will be different than "just another password manager," Andy Yen said. The service is built "by a dedicated encryption and privacy company," which should make a tangible difference in security. For instance, Proton Pass will use end-to-end encryption for all fields (usernames, web addresses, etc.) and not just for passwords.
Furthermore, the new password manager will use a strong bcrypt password hashing implementation – while weak PBKDF2 implementations have made other password managers vulnerable – and a hardened implementation of Secure Remote Password (SRP) for authentication. Proton Pass is also one of the first password managers with a fully integrated two-factor authenticator (2FA) and support for 2FA autofill, Yen said.
The Proton Pass beta is coming for users on iPhone/iPad, Android and desktop computers, with browser extensions for Brave and Google Chrome. An extension for Mozilla Firefox isn't available yet, but it should come soon.