Verdict
Proton Pass is Proton Technologies’ new password manager, which is secure and covers the basics, with a very strong free tier and cheap subscriptions, but it has yet to roll out a full range of advanced features.
Pros
- Unlimited free tier
- Inexpensive paid tiers
- Easy to use
- TOTP password generation for paying users
Cons
- Only accessible via mobile apps and browser plugins
- Some key features have yet to be released
-
Securitybcrypt and 256-bit AES-GCM -
Stand-alone clientsAndroid, iOS, Apple Silicone Macs -
Browser extensionsChrome, Firefox, Edge, Brave, Safari
Introduction
Proton Technologies is well known for its secure email and Proton VPN services.
The firm’s been branching out into secure calendar and storage, which have now been joined by Proton Pass, a new contender in the world of online password management.
Launched in June 2023, it is very new indeed. I like, use and recommend a number of Proton’s services. Let’s see if Proton Pass is ready to join our catalogue of the very best password managers this early in its development.
Pricing
The Proton Pass basic tier, like those of the company’s other services, is free. For that, you can store and sync an unlimited number of passwords to an unlimited number of devices.
Plus, you get 10 free email aliases provided by Proton-owned online anonymity firm SimpleLogin. Using a different alias for different online services makes it harder for credential-stuffing attacks to be used against you if a service you signed up for is breached, and also makes it more obvious when a service provider sells you personal details to marketers.
Right now, you can get a standalone Proton Pass Plus subscription for €12/$12 (about £10) a year, and Proton will guarantee you that price for the lifetime of your subscription. If the company has any sense, it’ll actually keep that subscription fee for everyone, making it competitive with Bitwarden’s very economical paid tiers.
You can also subscribe for $4.99/€4.99 (about £4) per month, but that really makes no sense for a password manager, even if the annual fee weren’t so competitive. Existing Proton Unlimited subscribers, who pay around £100 a year for bundled access to all of Proton’s services, will find Proton Pass already included in their subscription.
Paying users get a number of extra features, notably an unlimited number of email aliases, an integrated 2FA authenticator and 20 difference password vaults.
Features
- Easy to use, and clearly designed
- Only accessible via browser plugins and mobile apps
- Currently lacks web vault, password history, and password sharing
Proton Pass allows you to automatically generate, save and enter passwords, especially on the web. It does this very well, offering Proton Technologies’ customary attention to detail when it comes to security.
Password databases are zero-knowledge, and their encrypted data is stored exclusively on Proton’s own servers in Switzerland and Germany. Proton Pass uses a user key to encrypt everything, created using a bcrypt hash of your master password along with an account sale. This is then used to encrypt a 32-byte vault key. Each item you generate also gets a random key, which is then encrypted – along with the item data – using 256-bit AES-GCM.
There are also forms for storing encrypted notes and payment cards, and for creating and saving extra email aliases and passwords. This is less fleshed out than the wide-ranging forms on offer from the likes of 1Password and Dashlane, and doesn’t include image or other file attachments, but covers the basics. Paying subscribers can also add TOTP key generators – at your own risk, as this means your second factor and password are now in the same place – and everyone can add custom fields and notes to entries as needed, whose contents can be hidden if you choose.
The password manager is currently accessible via browser plugins for Firefox and for Chromium-based browsers including Chrome, Brave and Edge. macOS users should be aware that Safari is not currently supported. There are also mobile apps for iOS and Android. You can directly download an Android APK from Proton, making it a good choice for those who use de-Googled Android forks. There are no desktop apps right now, although Mac users running Apple Silicon based PCs have the option of installing the iOS app. Proton says that a cross-platform desktop app is currently on the roadmap.
More unusually, there’s no web app either. While almost every other service-based password manager gives you the option of accessing your passwords from a web vault, this is still on Proton’s to-do list, expected to arrive later in 2023. Password sharing is also not currently a feature, but is due for release “in the coming months” and Proton has already detailed how shared vaults will be secured. Although Proton Pass can tell you when you’ve modified an entry, there’s currently no version history for passwords, which is mildly terrifying if you accidentally change a password in the app.
Your master password is handled a little differently to some other password management services. While, for example, NordPass and Norton’s password manager have separate passwords for your account and to unlock your passwords, Proton assumes that you’ve followed its guidance to set a strong master password on your Proton account itself, and doesn’t require a second login or unlock code for your passwords. Proton accounts all operate on a zero-knowledge basis, so you need to make sure you don’t lose or forget your password. Your multi-factor authentication (MFA) settings are also account-wide: you can use a mobile authenticator app or a U2F or FIDO2 security key such as a Yubikey for this.
This makes sense and is less irritating than rival services that require you to log in twice, but you really do need to take your Proton account password creation and hygiene seriously. By extension, this means that all your account recovery and 2FA options are tied to your Proton account, rather than just your password database. These include emergency account access and recovery via a designated email or phone number, or a passphrase or file that can be given to someone else. It’s less elegant than a designated emergency contact or dead man’s handle system, but can be effective if you’re well prepared.
Although you can’t set a dedicated passphrase, you optionally set a lock code for Proton Pass. Once enabled, this allows you to manually lock the extensions and apps, and you’ll also be prompted to re-enter it when you close and re-open your browser or Proton Pass app. By default, your session is also locked after 15 minutes of inactivity, but you can set this to a range of other periods from 30 seconds to an hour. You can disable it entirely, but locking by default is a strong default behaviour that I recommend sticking with.
Mobile users can also use biometric data such as fingerprint scans to unlock their data, but this isn’t a high-security option. Your password vault is cached locally by both the mobile apps and browser extensions, but if you set a PIN, you won’t be able to open a logged-out browser extension unless you have an active internet connection. The mobile app gives you offline access to your passwords, even with a PIN enabled, however.
Proton has released source code for the mobile clients, but has yet to release full source code along the lines of Bitwarden and KeePass’s efforts.
Should you buy it?
If you’re already a Proton user: Proton Pass slots nicely into the Proton service ecosystem, and Proton Unlimited users get all the extra Proton Pass Plus features already included in their accounts.
If you’re looking for a mature, stable product: Proton Pass is promising, but it isn’t there yet. It’s safe and functional, but a lot of features that I’d normally take for granted, particularly a web vault, are missing.
Final Thoughts
Proton Pass isn’t about to steal Bitwarden’s crown as the best general-use password manager, or 1Password‘s status for ultimate user-friendly security, or KeePass’s prize for customisability and personal control. But the introductory offers are great, and Proton’s roadmap of forthcoming features is exciting.
If I weren’t wedded to my KeePass databases, I’d definitely consider Proton Pass, but most users should probably go with something a little less bleeding-edge for the moment, unless Proton Pass already has all the features they actually need. Otherwise, check out our Best Password Manager guide for even more options.
How we test
We test each password manager ourselves on a variety of computer and mobile operating systems. We carry out comparative feature analysis against industry standards and rival products, and test security and convenience settings such as default logout behaviour and offline access.
Password managers are installed for at least a week
We make sure to test all available features.
FAQs
Yes, a free password manager from a reputable vendor typically has the same level of security as the paid-for versions. By subscribing, you just get access to a greater number of advanced features. Proton Technologies in particular is known for high-quality free services, subsidised by paying users.
Yes, but more features are still to come. All the service’s critical security is firmly in place, as well as its core password creative, saving and entry features, but an extended feature set is being rolled out in the coming months.