Same for me. I use protonmail and used protonvpn for a while, but putting all my eggs in the same basket... I will keep using other providers for my other stuff.
Yeah I'm quite tempted to get on board with Proton as they could replace Tutanota, Bitwarden, Nord VPN and One Drive/Google Drive for me. Seems convenient and privacy focused but obviously all my eggs in one basket seems like something I might come to regret.
Same here. I'm fine using Proton for my mail & drive, but I also like keeping my passwords separate in bitwarden, and my 2fa separate in my raivo. A healthy separation is good.
Didnt read anything about a security key or even a keyfile (poor mans security key w/o phishing protection). Im assuming its protected by totp which is fine but I do kinda prefer a security key
I’m all for open source alternatives to bitwarden but this is non competitive with a mandatory subscription fee. Bitwarden is completely free for most users.
I thought the same thing but it actually does have a limited free plan. Seems like, similar to BW, it restricts 2FA behind the pass, but also with the pass you get unlimited hide-my-email aliases, multiple vaults to organize in (I don’t know what this means), and eventually autofill credit cards.
Proton is starting to loose focus in my opinion. I’ve been a costumer for 5 years only using email and I moved this year to fastmail and I couldn’t be happier. Unlimited emails alias, good apps, ability to use thunderbird without a self hosted bridge.
The promise of a encrypted email does not work if your contacts are not on proton too (for me was 100% of my contacts).
If you are really focused on privacy you would choose nextcloud for cloud for example and keypass or Bitwarden for password managers.
I would like them to focus on email client features and stop this side hustles.
I advice anyone against switching for now, especially if you’re using KeePass or Bitwarden. Proton Pass has just been released, meaning it is not audited and it’s immature. I would not trust it with my passwords just yet.
@protonmail Proton claims to be a privacy oriented company and yet their email app doesn't show push notifications without Google Play Services means you will either have to use Google Play Services or live without push notifications (if you are using a degoogled phone). If Tutanota app could show push notifications without Google Play Services, it is definitely possible. What a joke!!
@SoulKeeper While we rely on Google Play Store services for push notifications, they are end-to-end encrypted. To stay private when using Proton Mail on an Android phone, we recommend trying some of these tips: https://proton.me/blog/android-privacy .
We are also working on a complete rewrite of our Android app, which will allow for the improved functionalities and features to be added.
I don't think using the same credentials for an email service and a password manager is a good idea, regardless of how much I like Proton and what they stand for.
I think 2fa-in-your-password-manager is slightly better than not using it, since it requires that the attacker have access to your password vault, so it still protects against cases where just your password leaked somehow, but yeah, definitely not as good as full 2fa.
But to add to that as well: If the site has stored your password insecurely, they will probably have lost your 2FA secret too. Which even has to be stored in 'plain text' in contrast to your password.
As per the video they released https://youtu.be/M8doASpFbuk it allows you to immediately enter the 2FA account.. oh man. as @noodlejetski said, this very much negates the whole point of 2FA.
I really like protonmail and have been a paying user for years now. But nothing beyond calendar and mail has really made a lot of sense to me so far. I'll stick to my Keepass container, syncing that across my devices. It's easy to manage and I don't need to trust anyone else with that data ever in no way, shape or form.
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it's not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much...)
Add comment