Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Proton Launches an End-to-End Encrypted Password Manager (theverge.com) 30

Proton, the company behind Proton Mail, has announced the launch of a new password manager: Proton Pass. While the service will eventually become free for everyone to use, it's currently only available as a beta to Proton's Lifetime and Visionary users for now. From a report: As is the case with Proton's other products, Proton Pass uses end-to-end encryption (E2EE) that's supposed to keep your personal information away from prying eyes, including third parties and Proton itself. In addition to letting you store your usernames, passwords, and notes, you can also add any randomly generated email aliases that you can use as a replacement for your real address. Proton's new password manager not only applies E2EE to your passwords but also the usernames, web addresses, and all the other fields associated with your login information. In a blog post explaining the service's security model, Proton notes that "all cryptographic operations, including key generation and data encryption," happen locally on your device, which Protons says it can't decrypt, even if a third party requests it.
This discussion has been archived. No new comments can be posted.

Proton Launches an End-to-End Encrypted Password Manager

Comments Filter:
  • lastpass (Score:4, Interesting)

    by jmccue ( 834797 ) on Thursday April 20, 2023 @02:22PM (#63465442) Homepage

    Hopefully they studied this in detail:

    https://www.wired.com/story/lastpass-engineer-breach-security-roundup/

    Me, I will not touch these things with a 10 foot pole. I rolled my own using emacs and encryption on a Text File.

    • Re:lastpass (Score:5, Insightful)

      by ljw1004 ( 764174 ) on Thursday April 20, 2023 @04:39PM (#63465714)

      Me, I will not touch these things with a 10 foot pole. I rolled my own using emacs and encryption on a Text File.

      If there's something I *NEVER* want to roll my own, it's encryption+security. I know just enough about it to know how little I know, and how there are attack vectors I'd never even dream of.

      • by gtwrek ( 208688 )

        I share jmccue's solution as well. It's not really rolling your own encryption+security - one uses vetted security software (i.e. gpg/vi for me) in security conscious ways Is it perfect? Nope. But in my mind, better than "all your eggs in one basket" these normal password cloud services offer. In my opinion those products are a much easier target for social engineering type vectors. The actual "encryption+security" tools is hardly ever the nominal attack vector.

        For my nearly 80 year old mom - I tell h

      • by gweihir ( 88907 )

        That is very likely not self-made encryption. It probably is a GnuPG binding in an Emacs script. Still expert-only, but something an expert can definitely do by themselves. The thing you should never do yourself is encryption _algorithms_.

      • Never rolling your own encryption is more of a guideline than an absolute rule. Sometimes, you should roll your own IF the alternative is obviously bad. So:
        • - You would have been better off to "roll your own" initialization than using the backdoored initialization that NIST/NSA provided as default for eliptical encryption. We can't trust the NSA to not abuse their snooping power. We can't trust US intelligence to keep a secret. If you rolled your own initialization, then future attackers have to do a lot m
    • Did you really have to phrase it like a challenge to vi fanatics

      I use emacs and a text file

      • by jmccue ( 834797 )

        Funny, wish I could mod you up.

        People should mod this funny, but I guess Slashdot is humor impaired now too.

      • by unrtst ( 777550 )

        vim -x
        That'll encrypt the file contents. The quality of that encryption will vary depending on your vim version.

        • by unrtst ( 777550 )

          /. ate the <filename> after the -x

          • Oops. Boy this site really knows how to annoy its userbase. No, it does not discriminate -- but /. maybe wrote the playbook for How to alienate your one and only casual user

  • by plazman30 ( 531348 ) on Thursday April 20, 2023 @02:32PM (#63465466) Homepage
    Bitwarden and 1Password are end-to-end encrypted.
  • by rtkluttz ( 244325 ) on Thursday April 20, 2023 @03:50PM (#63465638) Homepage

    Most things do not belong in the cloud, not just passwords.

  • A password manager, with the file stored locally. It doesn't get more end-to-end than that.

  • I've been using Password Safe for like 20 years now, since it was first created by Bruce Schneier.

    https://pwsafe.org/ [pwsafe.org]

    No automatic sharing features, but it is easy enough to sync the database to your choice of cloud storage manually. Runs on my PC and my phone, and the encryption algorithms are well vetted. Highly recommend.

  • Would you buy cloud-enabled electronic door locks, the kind that you can remotely open through your phone app?

    If not, why would you store your password in the cloud?

  • plaintext.

    By the same token, you can send around unencrypted cyphertext over any old network if you don't mind pencil-and-papering with a physical otp before and after like they did in the good old days.

  • what happens when an encrypted password manager gets old/outdated, company goes out of business or is no longer supported ?
  • Great, but you HAVE to get the user experience right. Proton is a trusted company IMO so i'm not really worried about the security, but if the features like autofill, a browser extension or the mobile app don't work well on all platforms, it will be a disaster. I have thousands of passwords that I need on multiple platforms, if i'm going to switch it better be reliable.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...