Proton Pass Review | PCMag

Proton Pass is a password manager from Proton, a company with a stellar reputation as a provider of VPN and email services. The free version of the password manager syncs unlimited passwords across all platforms, which is great, but the premium version doesn’t offer many helpful extras beyond an email alias feature. For a fuller-featured free password manager, we recommend Bitwarden, our Editors’ Choice winner. Our top paid app remains Dashlane, which is packed with additional features, including a VPN.

How Much Does Proton Pass Cost?

Proton Pass offers a free service tier, which includes unlimited password storage across unlimited devices and vault sharing for up to three users. You can also create and store up to 10 email aliases (more on those later) in the vault.

Proton Pass Plus costs $23.88. For that, you get all of the free tier’s perks as well as an unlimited number of email aliases, the ability to generate multifactor authentication (MFA) codes via the mobile apps, multiple vault access, vault sharing for up to 10 users, and the option to enroll in the Proton Sentinel program (a login monitoring service).

PCMag Logo What Is a Password Manager, and Why Do I Need One?

This price puts Proton Pass in the middle range of password manager paid plans, though with a feature list that is short for a premium-tier subscription. Bitwarden’s premium plan is $10 and includes an emergency access option. On the higher end, LogMeOnce’s most expensive personal password management tier is $39 annually and includes account activity reports, a diverse set of multi-factor authentication (MFA) options, and password inheritance options. Dashlane offers a more expensive premium plan at $59.88 per year, including remote device access management, a VPN, dark web monitoring, and advanced credential-sharing options.

Surprisingly, Proton doesn’t package its popular and well-reviewed Proton VPN service with its premium password management plan. Proton Unlimited, which bundles the company’s calendar, email, file storage, and VPN services with the password manager, is $155.88 annually, without promotional discounts.

Getting Started With Proton Pass

Proton Pass has browser extensions for Brave, Chrome, Edge, and Firefox users, a web-based vault, and Android and iOS apps. If you already have a Proton account, you can go to your account page to add a Proton Pass subscription to your account. If you are new to the Proton ecosystem, sign up for a Proton account with your email address, create a strong and unique password, download the appropriate app and browser extension, and store your credentials.

Like many other password managers, Proton Pass offers a video tutorial for new users. For more hand-holding, you might also consider 1Password, which offers multiple comprehensive video tutorials to introduce new users to password management.

Proton Pass Authentication Options

Once you have signed into your vault, we advise you to set up multi-factor authentication. Proton Pass allows your to authenticate via an authenticator app or a hardware security key. Other password managers allow you to designate a form of authentication within the app.

Security features included in a Proton Pass Plus subscription are auto-locking for your account and the option to enroll in the Proton Sentinel program mentioned above.

Proton Pass' auto-lock option

(Credit: Proton/PCMag)

Auto-locking your account allows you to choose to lock access to your vault after a predetermined period and unlock access using a six-digit PIN code. In testing, the feature worked as advertised.

Proton’s website describes the Sentinel feature as follows: “It mitigates security threats by combining AI with human analysis.” Sentinel monitors your account for suspicious login activity and alerts enrolled users if something appears to be amiss. It’s a helpful feature for people who may be high-security targets (government officials and journalists are a couple of examples), though it’s probably not necessary for most users.

Other password managers, such as Dashlane, LogMeOnce, and NordPass, include dark web monitoring, password hygiene reports, or VPN access as premium features. In the future, we hope to see more additional security features for Proton Pass subscribers.

Data Privacy and Security With Proton Pass

Before we review and test a password manager, we send questions to the password management company inquiring about its privacy and security practices. We want you to have plenty of information about the companies handling their data. We’ve included relevant information from Proton Pass’ responses to our questions below.

Has your company ever had a security breach?

Proton has never experienced a security breach. The robust security model of Proton Pass, along with all other Proton services, is designed to offer multiple layers of protection. This includes Transport Layer Security (TLS), Secure Remote Password (SRP) protocol, and end-to-end encryption (E2EE), among others. The core of Proton Pass’ security architecture lies in its end-to-end encryption model, which encrypts not only passwords but all fields, including usernames, web addresses, and notes. This encryption is performed locally on the user’s device, ensuring that Proton servers never have access to unencrypted keys, data, or credentials.

What unencrypted information does the password manager store in user vaults?

Proton Pass ensures that no unencrypted information is stored in user vaults. All data within a Proton Pass vault is end-to-end encrypted.

What is the company’s policy regarding master passwords?

Users are required to create a strong account password when setting up their Proton Pass account. The account password plays a central role in the encryption process. Proton Pass encrypts the user key with a bcrypt hash of the account password and the account salt. This process occurs locally on the user’s device, ensuring that the account password is never transmitted to Proton servers in an unencrypted form.

Proton does not have access to, nor does it store, users’ account passwords. The use of the Secure Remote Password (SRP) protocol in Proton Pass provides additional security against man-in-the-middle attacks. This protocol ensures that password-equivalent information is never exposed, even in the event of Proton being compromised.

Proton’s policy for account recovery, in case of a forgotten password, includes several methods. Users can choose to set a recovery email, phone number, or a 12-word recovery phrase. The recovery phrase can also be used to decrypt emails and other encrypted data. Additionally, users have the option to download a recovery file, which can restore emails and data after resetting the password. It’s important to set both an account recovery method and a data recovery method to avoid losing access to the account and encrypted data.

What is the company’s policy regarding user data collection and data sales?

Proton’s policy regarding user data collection and data sales emphasizes privacy and minimal data retention. Here are the key aspects of the policy:

  • Minimal personal information collection

  • No permanent IP logging

  • Proton relies on third-party services to process payments and does not retain full credit card details. Anonymous payments, such as through cash or Bitcoin, are accepted.

  • No data sharing or selling: Proton does not sell user data to third parties.

  • Proton is mindful of regulations like the EU’s General Data Protection Regulation (GDPR) and ensures its privacy policy is transparent and legally compliant, detailing any organizations with whom user data is shared.

How does your company protect user data?

The best way to protect user data is to never have it in the first place. That’s why we protect users’ emails, passwords, files, calendar entries, and other personal information with end-to-end encryption and zero-access encryption. We don’t have access to this information, so we couldn’t monetize this data, even if we wanted to, and if Proton were ever to be subject to a successful hack, this information would be unavailable to the attacker.

How does your company respond to requests for user information from governments and law enforcement?

As a Swiss company, the law prevents us from directly complying with requests coming from foreign authorities. Those are systematically rejected based on Swiss law, but those foreign authorities are generally redirected to adequate international legal assistance channels. When a request is duly instructed by the competent Swiss authority, and there is no element that would suggest the subpoenaed account is legitimate or that the request could be linked to a politically motivated prosecution, Proton complies according to its obligation under the law. We do keep a transparency report about all the requests received and complied with on a yearly basis.

Proton’s answers to PCMag’s questions match the messaging in the company’s privacy policy. During testing, we confirmed that the password manager doesn’t store much user data by default, so the thorough answers above are unsurprising but appreciated. PCMag encourages anyone in the market for a new password manager to browse privacy policies to learn more about how companies collect, sell, or store user data. Decide how comfortable you are with data collection and act accordingly.

Hands On With Proton Pass

We tested Proton Pass’ functionality using the web vault, the iOS app, and the browser extension for Google Chrome.

Importing Passwords

Proton Pass importing options

(Credit: Proton/PCMag)

Proton Pass can import from the following competing password managers and browsers: 1Password, Bitwarden, Brave, Chrome, Dashlane, Edge, Enpass, Firefox, KeePass, Keeper, LastPass, NordPass, Robofom, and Safari. It’s a longer list than some competitors offer, but it’s well short of Bitwarden’s ability to import from over 50 competing password managers.

We had no trouble importing a password list stored in the Chrome browser, but ran into complications while attempting to import our test credential lists from competing password managers. Proton Pass didn’t allow us to upload our CSV test file or the Dashlane credential list we use to test password managers.

Since uploading the test list didn’t work, we entered our credentials manually. Copying and pasting credentials into the Proton Pass vault is time-consuming, so we opted to test the password manager’s capture and replay capabilities while filling in our test credentials around the web.

Credential Capture and Replay

We were also able to create and store new passwords for accounts. Proton Pass filled in the email address in the appropriate field and generated a password with a single click.

PCMag Logo How to Use a Password Manager

Filling multi-page sign-in screens requires interacting with the second page, while other password managers typically fill in the credentials automatically. According to an email from Proton, “Automatic autofill without user interaction is less secure because malicious scripts can deceive the password manager into unknowingly revealing user credentials. This can occur, for example, by embedding an invisible form on the login page.”

Creating a new credential

(Credit: Proton Pass/PCMag)

Password Generator

We didn’t have problems generating new passwords during the credential creation process. With Proton Pass, you can either generate a random password that is up to 64 characters long or a memorizable passphrase. We like that Proton Pass also includes a password history list so you can see your past credentials.

Password Sharing

Proton Pass allows you to share vault items with others and determine whether they can view, edit, or become administrators for the entire vault. If you’re an existing Proton Pass user, we suggest creating a separate vault just for sharing individual credentials with other people. Other password managers we’ve reviewed, including 1Password and Dashlane, allow users to share specific credentials without needing to create a separate vault.

Missing Password Management Features

Proton Pass lacks file-storage options in its free and paid password management plans, and the amount of data you can store in your vault for filling in web forms is limited to your name and credit card details. Apart from that, you can only store text-based notes in the Proton Pass vault. Other password managers allow you to store mailing addresses, driver’s license information, passport information, and more in a dedicated section related to your identity.

Also missing from the password manager are options for granting loved ones or trusted associates emergency access to your passwords in the event of your demise. Keeper and LogMeOnce both offer well-thought-out password inheritance systems that allow subscribers to determine who gets access to their passwords and for how long.

Proton Pass Mobile App Experience

To test the iOS version of the Proton Pass app, we used an iPhone 14 Pro running iOS 17.2.1. Proton Pass also offers an app for Android devices. The iOS app is attractive and functioned well in testing. The purple-on-purple user interface is basic but trendy, and there are no app-specific features beyond using Apple’s FaceID technology to unlock the app and MFA code generator access.

Proton Pass on an iOS device

(Credit: Proton/PCMag)

We were able to download, install, and log into the app without any issues. In testing, Proton Pass for iOS didn’t have trouble capturing, creating, and filling passwords.

Proton's email address generation in action

(Credit: Proton/PCMag)

We tested the Proton Alias feature on mobile—with some quirks. Like other temporary email alias providers, Proton allows you to create a new email address that you can use to sign up for products and services. It’s handy when you don’t want to enter your email address in a form and risk receiving junk emails for the rest of your life (note that Apple users get a similar free email forwarding function with iCloud Mail). Free users can create and store ten of these aliases, and there’s no limit for Plus subscribers.

It’s a good idea to include this service with a password manager, but Proton’s execution is a bit awkward. For example, we created the fake email address “[email protected]” in the hopes that we could use the fake email in place of our real email address for a few websites. When creating new logins, we had to manually cut and paste the fake email address into the web form because it didn’t appear as an email option when creating new credentials. It’s a bit clunky.

Should You Use Proton Pass?

We like that Proton Pass offers unlimited password storage in its free tier. We also like its email alias creation feature, though its execution could be smoother. Ultimately, we were able to use Proton Pass to complete the core tasks expected of a password manage, though we hope to see more premium features added to the service in the future. For paid password management, we still recommend Editor’s Choice winner Dashlane for its ease of use and helpful premium features. For free password management, we recommend Bitwarden, which offers more security extras.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

We will be happy to hear your thoughts

Leave a reply

Compare items
  • Total (0)
Shopping cart