Proton has released a password manager. Proton Pass is a password manager that can store notes and aliases in addition to credentials and totp codes. An entire vault is then encrypted with end-to-end encryption. The feature will first be released in a closed beta.
Proton calls the password vault Proton Pass. That will be a feature that will be offered within Proton’s packages, but the company does not say whether a free variant will also be available. users can store passwords and usernames in the password manager, as well as Time-based One-Time Passwords and notes. In addition, it is possible to save Aliases. That’s a feature Proton introduced last year that allows users to use an alternate email address to hide their original address.
What is particularly striking about the password manager is that the entire vault is encrypted with end-to-end encryption, instead of just the passwords, as is the case with most password managers. What that will mean for users in practice is hard to say. This may slow down the password manager. Plus, it means storing the vaults in one place, which can increase the attack surface. According to Proton, that encryption means that an attacker cannot retrieve metadata, such as which sites a user has an account on.
Proton Pass uses bcrypt as its hashing algorithm and uses the Secure Remote Password standard for authentication. Proton writes in a blog post that individual items are also encrypted with an extra key, so that a potential attacker with the master key cannot in all cases retrieve all passwords during a man-in-the-middle attack. The company provides few details about the encryption for now, but says that the code will be made available open source later. In addition, the password manager is covered by Proton’s bug bounty program.
The service is currently only available as a closed beta. A random number of users are selected for this. The service should become publicly available later this year. The manager is available for iOS and Android and as a browser extension for Chrome and Chromium browsers. There is currently no Firefox extension, because Mozilla has not yet approved it, according to Proton.