Proton AG has introduced Proton Pass, an open-source password manager available as a browser extension and mobile app on Android and iOS.
The company, known for its privacy-focused products like Proton Mail, Proton VPN, and Proton Drive, expands its portfolio with a secure, end-to-end encrypted vault for password and note storage.
Proton Pass stands out by offering a “hide-my-email alias” feature, generating random email addresses that act as a relay between online services and users’ actual email accounts, preventing tracking and identification by service providers.
This email forwarding system, initially introduced in Proton Mail, enhances privacy by filtering out marketing trackers and hidden tags.
In addition to password generation, Proton Pass employs strong bcrypt password hashing, a hardened implementation of Secure Remote Password (SRP) for authentication, and comprehensive encryption covering not just passwords but also usernames, web addresses, and other saved data.
The use of bcrypt is highlighted as a security measure, distinguishing it from other password managers relying on problematic PBKDF2 implementations.
Proton Pass aims to mitigate the impact of data breaches by providing unique email aliases for each account, rendering exposed addresses useless in credential stuffing attacks. Independent auditors at Cure53 are currently scrutinizing the software’s code for security vulnerabilities, reinforcing the company’s commitment to a robust security architecture.
Proton underscores its “privacy-friendly” Swiss jurisdiction, suggesting that law enforcement authorities will only request user data in verified instances of illegal activity.
