Last updated on April 25th, 2023 at 09:21 pm
Last week, Proton AG, the company behind Proton Mail, announced their new password manager, Proton Pass, had entered beta. Given Proton’s established reputation in the privacy space, this was exciting news.
Proton’s announcement, however, made a few controversial claims that upset some members of the password manager community. Following on from a Twitter thread by KeePassXC, let’s fact check some of these claims.
Claim #1: “[W]hile many other password managers only encrypt the password field, Proton Pass uses end-to-end encryption on all fields (including the username, web address, and more)“
What this means is that Proton Pass encrypts not just the username and password but also, for example, the URL of the saved login. And this is good to do because, as Proton points out, if an attacker can see the URLs of all your accounts because they are not encrypted, then they have gained a lot of information about you.
The problem, however, is that many other password managers already encrypt all fields of the entries in their vaults. It’s true that hacked password manager LastPass did not, but I checked and 1Password, Dashlane, Bitwarden, Keeper and NordPass, for example, all do.
Verdict: Proton’s claim is misleading. While Proton’s password manager encrypts all fields, a quick check revealed at least five other well-known password managers do the same.
Claim # 2: “Proton Pass is also one of the first password managers to include a fully integrated two-factor authenticator (2FA) and supports 2FA autofill.”
As KeePassXC pointed out on Twitter, other password managers have built-in authenticators that support autofill. KeePassXC itself has reportedly offered one since 2017. 1Password and Keeper also have built-in authenticators with 2FA autofill and Bitwarden offers a built-in authenticator that automatically copies the 2FA codes to your clipboard.
Verdict: Proton’s claim is again misleading. At least four other well-known password managers already offer built-in authenticators that either allow you to autofill the 2FA code or copy it to your clipboard.
Claim # 3: “Proton Pass uses a strong bcrypt password hashing implementation (weak PBKDF2 implementations have made other password managers vulnerable)”
This claim gets into technical details about how Proton Pass and other password managers operate. Fortunately, however, we don’t need to know all the details to evaluate Proton’s claim. It’s enough to know that PBKDF2 has weaknesses, but that many password managers are switching to a more secure option called Argon2 instead.
Bitwarden added support for Argon2 earlier this year, for example. Dashlane, NordPass and KeePassXC also use Argon2. 1Password and LastPass, however, still use PBKDF2.
KeePassXC called Proton out on this point, noting that “Most modern PW managers use either Argon2 or bcrypt.“
Verdict: Proton’s claim is somewhat misleading. There are weaknesses with PBKDF2, which some password managers still use, but others are moving to more secure options.
Given Proton’s reputation, we can reasonably expect great things from their new password manager. Their communication strategy, however, could use some work.