The internet is a scary place, and that bad actors are always on the move to spy on people, and steal information.
Since the internet is a public space, and that anyone can be in there with a connection from wherever they are in the world, generally, there is only one thing that can differentiate a legitimate user of an online service, and an impostor.
And that very thing, is user credentials.
In most cases, anyone with the proper username and password combination of a registered user combination can log in as that registered user.
Because of this, people on the web should always create a strong password, and keep that password from anyone else but themselves.
Proton, the company behind Proton Mail, is trying to help with that.
Proton, the company behind Proton Mail, the end-to-end encrypted email service, has a number of other privacy-focused services.
And this time, the company is introducing what it calls the 'Proton Pass'.
Initially in beta to only paying subscribers of Proton’s Lifetime and Visionary users, the product is a password manager that according to Proton, uses uses end-to-end encryption (E2EE) using 256-bit AES-GCM that’s supposed to keep users personal information away from prying eyes, including third parties and even Proton itself.
In addition to letting users store usernames, passwords, and notes, Proton pass can also add any randomly generated email aliases that users can use as a replacement for their real email address.
This approach is also called the "zero knowledge."
And because Proton Pass involves the web, it allows the sharing of encrypted information to other users.
However, since sharing and distributing public keys can create the potential for man-in-the-middle (MITM) attacks, "each Proton user has one or more address keys for each email address associated with their account."
"This address key is a public key linked to a verifiable identity and published in Proton’s Key Transparency system, ensuring they can’t be maliciously modified by an attacker."
A vault administrator can share their vault key, in which Proton Pass will automatically encrypt it with the recipient’s address key, ensuring that they can access it.
"After your intended recipient receives your encrypted vault key, they will validate its signature using your address key. This step verifies that the invitation legitimately came from you. Once the signature has been validated, Proton Pass will encrypt the vault key using your recipient’s user key and store it securely," Proton explained.
"Protecting your passwords properly requires a high level of competence with encryption and security, which few organizations have," Proton founder Andy Yen said in a blog post.
"We’ve always been worried about the risk posed by a major password manager breach, which unfortunately became a reality with the recent hack of LastPass."
Read: LastPass Got Hacked, And Hackers Stole ‘Portions Of Source Code’ And Proprietary Data
While Proton boasts that its Proton Pass is "designed from the ground up to have a strong focus on privacy and security," the security model is actually the same touted by other popular password managers, including the aforementioned LastPass, which was a victim of a major data breach in 2022.
The main difference here is that, Proton Pass not only utilizes E2EE to encrypt passwords, because it also uses it to encrypt usernames, web addresses, and all the other fields associated with users' login information.
In a blog post explaining the service’s security model, Proton notes that "all cryptographic operations, including key generation and data encryption."
Proton Pass is introduced a little over a year after Proton acquired SimpleLogin, a tool that lets users send anonymous emails.
According to Yen, this acquisition increased the company’s "ability to develop a new password manager without impacting efforts on other Proton services," and that it should help mitigate the risks associated with using an insecure password manager with Proton’s range of products.
In the future, Proton plans on making its password manager open source once it’s released to the public and is also offering up to $10,000 in rewards for security researchers who can find vulnerabilities within Proton Pass and its other products.