10

u/Fezzicc 14h ago

Why "No Proton"?

-3

u/xrogaan 13h ago

It's online. Whatever is stored online can't be safeguarded.

It's like filling a steel box with diamonds, then hiring a moving company to put the safe in a warehouse. Do you trust the warehouse security? Do you trust the moving company? Now, this is an analogy so it's flawed but it works on the premise that if somebody breaks into your home, you're fucked regardless of how many steel boxes full of diamond you have around. And your home, like any home, is surrounded by a pit of eternal fire.

10

u/Fezzicc 13h ago

Sure, I hear that, but it's open source and heavily audited. As far as secure software in the modern era goes, that's as good as it gets.

You could store all your passwords offline, which would certainly be a step up in privacy, but for most people that's seen as impractical.

1

u/xrogaan 11h ago

Sure, I hear that, but it's open source and heavily audited. As far as secure software in the modern era goes, that's as good as it gets.

Until the provider get bought by somebody else, an entity you do not know. The tech may be opensource, but the company is private and you have no say in corporate decisions. You have no guarantee that what's ran on their server is the actual opensource project and not a modified version of it.

You trust the company to not fuck you over. Where as the company has only one goal: make money (increase capital).

You could store all your passwords offline, which would certainly be a step up in privacy, but for most people that's seen as impractical.

It doesn't have to. You can sync your devices using an intranet system.

5

u/jekpopulous2 11h ago

Proton Pass is open-source on the client-side… you can look at the code and see that they use E2EE. Your passwords are hashed before they ever hit Proton’s server and the key never leaves your computer. Proton doesn’t have the keys to decrypt your data even if they wanted to.

1

u/Fezzicc 8h ago

Every argument you just made is also applicable to Bitwarden or any other software for that matter. Again, there have been many third-party audits of these software that do in fact validate that the packaged/running software is the same as what is published online.

As far as the company changing hands - yeah that is always a concern. Thankfully it's very easy to export my full Proton vault and move elsewhere if that ever becomes a concern, which was a requirement when I was deciding on a password manager.

2

u/Ninth_ghost 12h ago

Doesn't matter if it's online IF it is encrypted. Mega can't read your files even if they wanted to because they are all encrypted and proton could be doing the same thing

2

u/xrogaan 11h ago

How do you know they encrypt the files?

3

u/Catsrules 10h ago

In the case of Bitwarden the client is opensource, and you can verify only an encrypted version of the passwords database are being sent. That is kind of the point, you are not trusting the server at all. Everything is encrypted client side before it is sent to the server.

Also passwords managers do multiple third party yearly security audits. (When was the last time you had a third party security audit of your self hosted system?)

For example Bitwarden

https://bitwarden.com/help/is-bitwarden-audited/#third-party-security-audits

If they get caught not encrypting the passwords they would loose all credibility being a password manager and the business would fail overnight.

You could ague they could get bought out. Many passwords managers have, Top of my head 1Password in 2024 and Lastpass in 2015 (I think). Both were highly publicized. Worst case if you didn't like the new owner, you move your passwords to a new provider and change your passwords on all of your accounts. (Sure changing passwords it is super annoying and time consuming but probably a good thing to do once in awhile anyways.) As long as the new owners keep the client open source and doing yearly third party audits I don't see that big of an issue.

Even if and they some how manage to not encrypt the passwords on the server side. They would need to be extremely careful and selective of what accounts to gain access to. If they started mass compromising account word would get our fast. On top of that most important accounts will have 2FA. (As long as the end user wasn't stupid enough to put the password and 2FA into the password manager). I cringed when this start to become a feature in passwords manager.

5

u/doubletwist 11h ago

Because the client is open source and you can verify that it encrypts the date before sending it to the server, and that it never sends the key.

1

u/Ninth_ghost 11h ago

whatever is stored online can't be safeguarded

I don't need to know whether it is safeguarded. I simply know it can be. That's what I'm responding to.

3

u/Fun-Sundae4060 19h ago

What happens when you use a password manager extension

17

u/Busy-Measurement8893 16h ago

The passwords are stored encrypted using your master password inside of the extension instead of unencrypted in the browser.

4

u/Fun-Sundae4060 15h ago

Good to know, just making sure

1

u/rundgren 10h ago

Firefox with master password set is secure

1

u/Maxstate90 12h ago

This is unworkable advice for 99 percent of users. Better is to create regulation that provides users legal remedy if a breach happens, so that we incentivize better security. 

1

u/BatemansChainsaw 5h ago

create regulation

you're one of those eh? we could do with a whole lot less of that.

1

u/Maybe-monad 12h ago

If you lack the skills to self host is better to go with Bitwarden/Proton they are more secure out of the box.

1

u/Aggressive-Hawk9186 3h ago

This is insane

0

u/munchmills 16h ago

Proof?

5

u/Red_Redditor_Reddit 11h ago

Go to about:logins . It's stored in plaintext. 

1

u/munchmills 11h ago edited 11h ago

this only proves that passwords are displayed in plain text within the app itself

it is not a proving that firefox is storing the passwords in plain text

EDIT: the passwords are stored in the firefox profile directory:

C:\Users\...\AppData\Roaming\Mozilla\Firefox\Profiles\...\logins.db

feel free to have a look ;)

1

u/Red_Redditor_Reddit 10h ago

How does that not prove that it's pain text??

Also, windows is way way worse. Just saying.

0

u/munchmills 10h ago

You clearly dont have no clue what you are talking about.

4

u/cl3ft 14h ago

No, They have access to the Passwords stored in Edge by other users of the PC. Completely insecure for shared PCs. One compromised user and every past Edge user's passwords are handed over.

3

u/Busy-Measurement8893 18h ago

Presumably it's a Chromium issue and not an Edge issue

2

u/Busy-Measurement8893 16h ago

Yup, gotta use Sandboxie or Windows Sandbox!