Proton, the company behind Proton Mail, has announced the launch of a new password manager: Proton Pass. While the service will eventually become free for everyone to use, it’s currently only available as a beta to Proton’s Lifetime and Visionary users for now.
As is the case with Proton’s other products, Proton Pass uses end-to-end encryption (E2EE) that’s supposed to keep your personal information away from prying eyes, including third parties and Proton itself. In addition to letting you store your usernames, passwords, and notes, you can also add any randomly generated email aliases that you can use as a replacement for your real address.
The password manager won’t have support for passkeys at launch, however. Proton spokesperson Will Moore tells The Verge that while it’s part of the company’s “long term roadmap,” it believes “passwords are not going away anytime soon as passkey adoption will not happen overnight.”
Proton’s new password manager not only applies E2EE to your passwords but also the usernames, web addresses, and all the other fields associated with your login information. In a blog post explaining the service’s security model, Proton notes that “all cryptographic operations, including key generation and data encryption,” happen locally on your device, which Protons says it can’t decrypt, even if a third party requests it.
This kind of “zero knowledge” security model is the same type of feature touted by other popular password managers, including 1Password and LastPass, the latter of which became the victim of a major data breach last year. After hackers stole LastPass’s source code and encrypted password vaults, security experts criticized the company’s response, with researcher Jeremi Gosney stating, “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie” and that it has “about as much knowledge as a password manager can possibly get away with.”
“Protecting your passwords properly requires a high level of competence with encryption and security, which few organizations have,” Proton founder Andy Yen writes in a blog post. “We’ve always been worried about the risk posed by a major password manager breach, which unfortunately became a reality with the recent hack of LastPass.”
The company’s new password manager comes a little over a year after Proton acquired SimpleLogin, a tool that lets users send anonymous emails. Yen says this acquisition increased the company’s “ability to develop a new password manager without impacting efforts on other Proton services” and that it should help mitigate the risks associated with using an insecure password manager with Proton’s range of products.
Proton plans on making its password manager open source once it’s released to the public and is also offering up to $10,000 in rewards for security researchers who can find vulnerabilities within Proton Pass and its other products. The password manager is currently available on desktop, Android, iOS, and as a browser extension for Brave and Google Chrome, with an extension for Firefox coming soon.
Update April 21st, 9:13AMET: Updated to add a statement from a Proton spokesperson about passkeys.