I have no experience with bitwarden, but I already have a paid mail with proton and that makes this password manager free, and I kinda lost faith in my previous manager LastPass after last year.
So far, at the least the interface of proton pass is miles ahead of lastpass.
If they’re going to try to compete with Bitwarden they could at least offer 2FA for free instead of paywalling it as a feature. It was disappointing when Bitwarden did it, and it’s even more disappointing with Proton - it’s like failing an open book test.
It’s mainly a difference in threat model. 2FA within a password manager is still 2FA for concerns of a website login being hacked by remote adversaries, which is the most important problem to solve.
If you use 2FA within your password manager, you should still lock that outer-most password vault with 2FA from a separate device (like you said), which solves your password vault being hacked by remote adversaries. Optionally, you can then use aggressive idle-locking of your vault on your personal devices, in case they’re stolen physically.
Great that it has an email alias feature built in. But I use 1Password and to me it's been so great that it'd be really hard to convince me switching to something else.
Bitwarden supports AnonAddy, DuckDuckGo, Fastmail, Firefox Relay, and SimpleLogin. I use it with my paid SimpleLogin account using the SimpleLogin default email domain (configurable in your settings - can be a SL-owned domain or your own).
I’m guessing ProtonPass just uses SimpleLogin on the backend since SimpleLogin is owned by Proton. I don’t think there’s really much difference unless you count 1-party being an advantage instead of 2-party.
Edit: O there is a difference in cost - not sure if this is what you meant. Bitwarden+SL will cost more (assuming introductory $1/month pricing on ProtonPass)
IIRC it’s missing a number of features that ProtonVPN Windows has. I last checked into it a year or so ago and the attitude was that it was a very shoddy application missing most features. I found this github issue expressing this sentiment but I don’t see much in terms of specifics.
I don’t have a paid ProtonVPN but I just downloaded the VPN on a free account and it only has 3 options on it:
Secure Core on/off (only select servers in privacy-friendly countries)
Netshield (DNS adblocking etc)
Killswitch
I use Mullvad so I opened that up alongside and will list out the features it has on its Linux client in comparison:
The main ones for me are split tunneling and Wireguard. Using a VPN that doesn’t support these is a non-starter for me, unfortunately. If any of this is different when you have a paid ProtonVPN account let me know - I don’t have very much experience with it.
TBH, if protonVPN under linux was any good I would probably have Proton Unlimited. I can’t justify paying for Mullvad and Proton Unlimited, so I DIY my own collection of services to match functionality for about the same price.
I just had a look and as far as i can tell ProtonVPN suppports everything Mullvad does. On windows…
On linux you get fuckall settings. No split tunneling, no dns, no wireguard, no nothing. There seems to be no parity between linux and windows. That is less than poorly supported, it’s atrocious tbh.
On windows you even get a fancy map with triangles that shows server locations that can be used to quick connect.
And this is with an unlimited account so i don’t believe it’s an account level limit.
Edit: I just looked and to be fair they do state in the plan features that Split tunneling is only available on Android and Windows
I think 2fa-in-your-password-manager is slightly better than not using it, since it requires that the attacker have access to your password vault, so it still protects against cases where just your password leaked somehow, but yeah, definitely not as good as full 2fa.
But to add to that as well: If the site has stored your password insecurely, they will probably have lost your 2FA secret too. Which even has to be stored in 'plain text' in contrast to your password.
As per the video they released https://youtu.be/M8doASpFbuk it allows you to immediately enter the 2FA account.. oh man. as @noodlejetski said, this very much negates the whole point of 2FA.
I really like protonmail and have been a paying user for years now. But nothing beyond calendar and mail has really made a lot of sense to me so far. I'll stick to my Keepass container, syncing that across my devices. It's easy to manage and I don't need to trust anyone else with that data ever in no way, shape or form.
Not fully accurate. The 2FA still prevents issues such as credential stuffing or bruteforcing, which might not depend on you. Of course, these risks are very limited if you use random unique passwords (as it makes sence since you are using a password manager).
Also 2FA is anyway there for the password manager, and if you have a session on, chances are the same applies for the target app (for example, your email). So it's not completely useless.
This said, I agree with the general principle. I personally use yubikeys where I can, including to store the TOTP codes (I never liked the phone to be 2FA device that much...)
I don't think using the same credentials for an email service and a password manager is a good idea, regardless of how much I like Proton and what they stand for.
Same for me. I use protonmail and used protonvpn for a while, but putting all my eggs in the same basket... I will keep using other providers for my other stuff.
Yeah I'm quite tempted to get on board with Proton as they could replace Tutanota, Bitwarden, Nord VPN and One Drive/Google Drive for me. Seems convenient and privacy focused but obviously all my eggs in one basket seems like something I might come to regret.
Same here. I'm fine using Proton for my mail & drive, but I also like keeping my passwords separate in bitwarden, and my 2fa separate in my raivo. A healthy separation is good.
Add comment