Proton Launches an End-to-End Encrypted Password Manager (theverge.com) 30
Proton, the company behind Proton Mail, has announced the launch of a new password manager: Proton Pass. While the service will eventually become free for everyone to use, it's currently only available as a beta to Proton's Lifetime and Visionary users for now. From a report: As is the case with Proton's other products, Proton Pass uses end-to-end encryption (E2EE) that's supposed to keep your personal information away from prying eyes, including third parties and Proton itself. In addition to letting you store your usernames, passwords, and notes, you can also add any randomly generated email aliases that you can use as a replacement for your real address. Proton's new password manager not only applies E2EE to your passwords but also the usernames, web addresses, and all the other fields associated with your login information. In a blog post explaining the service's security model, Proton notes that "all cryptographic operations, including key generation and data encryption," happen locally on your device, which Protons says it can't decrypt, even if a third party requests it.
Proton says it can't decrypt... (Score:3)
That's untrue. Their code decrypts it "locally on your device". The local code chooses not to pass the plaintext on, but it could.
Re:Proton says it can't decrypt... (Score:5, Insightful)
Passwords don't belong in the cloud. Also, the encryption thing is irrelevant. If you aren't controlling the encryption in advance or allowing any app to access it, then you must assume they have access to the data. If they control the encryption, then they absolutely do in some form. Either they have access on the back end, or they can use their app and upgrade permissions to change the app and allow access to themselves without your knowledge.
Re: (Score:2)
Passwords don't belong in the cloud.
On the other hand, they do. My wife and I need shared passwords (for utilities, childcare stuff, ... new things every few months). I'm pretty sure that 1Password is better than whatever scheme she or I could dream up for share passwords+updates with each other.
Re: (Score:2, Informative)
Passwords don't belong in the cloud.
On the other hand, they do. My wife and I need shared passwords (for utilities, childcare stuff, ... new things every few months). I'm pretty sure that 1Password is better than whatever scheme she or I could dream up for share passwords+updates with each other.
You could always use KeePassX or something similar and email the updated databases to each other as passwords, or put them into a cloud account. Date stamps indicate which is the latest - earlier ones can be deleted. One strong password shared between you protects the database files, which in my case are under 50K in size.
This way, the only third parties that might be able to steal your passwords without time and tons of processing power are the KeePassX devs.
Re: (Score:2)
Re: (Score:2)
Passwords don't belong in the cloud.
On the other hand, they do. My wife and I need shared passwords (for utilities, childcare stuff, ... new things every few months). I'm pretty sure that 1Password is better than whatever scheme she or I could dream up for share passwords+updates with each other.
We do that with a combination of KeePassXC and Syncthing. It works on our PCs, our phones, and our tablets. No company has access to our data, and it is free.
lastpass (Score:4, Interesting)
Hopefully they studied this in detail:
https://www.wired.com/story/lastpass-engineer-breach-security-roundup/
Me, I will not touch these things with a 10 foot pole. I rolled my own using emacs and encryption on a Text File.
Re:lastpass (Score:5, Insightful)
Me, I will not touch these things with a 10 foot pole. I rolled my own using emacs and encryption on a Text File.
If there's something I *NEVER* want to roll my own, it's encryption+security. I know just enough about it to know how little I know, and how there are attack vectors I'd never even dream of.
Re: (Score:2)
I share jmccue's solution as well. It's not really rolling your own encryption+security - one uses vetted security software (i.e. gpg/vi for me) in security conscious ways Is it perfect? Nope. But in my mind, better than "all your eggs in one basket" these normal password cloud services offer. In my opinion those products are a much easier target for social engineering type vectors. The actual "encryption+security" tools is hardly ever the nominal attack vector.
For my nearly 80 year old mom - I tell h
Re: (Score:2)
That is very likely not self-made encryption. It probably is a GnuPG binding in an Emacs script. Still expert-only, but something an expert can definitely do by themselves. The thing you should never do yourself is encryption _algorithms_.
Re: (Score:2)
Re: lastpass (Score:2)
Did you really have to phrase it like a challenge to vi fanatics
I use emacs and a text file
Re: (Score:2)
Funny, wish I could mod you up.
People should mod this funny, but I guess Slashdot is humor impaired now too.
Re: (Score:2)
vim -x
That'll encrypt the file contents. The quality of that encryption will vary depending on your vim version.
Re: (Score:2)
/. ate the <filename> after the -x
Re: (Score:2)
Oops. Boy this site really knows how to annoy its userbase. No, it does not discriminate -- but /. maybe wrote the playbook for How to alienate your one and only casual user
They're not the first (Score:3)
Re: (Score:2)
> Bitwarden and 1Password are end-to-end encrypted.
And Bitwarden is open source so you can compile it.
Passwords do not belong in the cloud (Score:5, Informative)
Most things do not belong in the cloud, not just passwords.
I've had that for a couple years (Score:2)
A password manager, with the file stored locally. It doesn't get more end-to-end than that.
Re: (Score:2)
the-end
The original Password Safe (Score:2)
I've been using Password Safe for like 20 years now, since it was first created by Bruce Schneier.
https://pwsafe.org/ [pwsafe.org]
No automatic sharing features, but it is easy enough to sync the database to your choice of cloud storage manually. Runs on my PC and my phone, and the encryption algorithms are well vetted. Highly recommend.
Would you buy cloud-enabled door locks? (Score:2)
Would you buy cloud-enabled electronic door locks, the kind that you can remotely open through your phone app?
If not, why would you store your password in the cloud?
Re: Would you buy cloud-enabled door locks? (Score:2)
Cuz my credit card company and bank are pretty good about denying suspicious charges, but there's no undo button if some dude walks into you house and takes your shit.
Not "end to end" if your device shows you (Score:2)
plaintext.
By the same token, you can send around unencrypted cyphertext over any old network if you don't mind pencil-and-papering with a physical otp before and after like they did in the good old days.
what happens to password manager gets old (Score:2)
Great but... (Score:1)