Proton pass Vs keepass

Graphite

[deleted] proton doesn't support fido keys in their applications

https://proton.me/support/two-factor-authentication-2fa
Proton supports two different types of 2FA. You can use:
Your smartphone (via an authenticator app)
A Universal 2nd Factor (U2F) or FIDO2 security key
https://proton.me/support/2fa-security-key

[deleted]

Graphite Now you're in for a big fat lie... I've just tested the application, the application downloaded from the playstore doesn't support fido2 keys. If someone sets all their passwords in protonpass, and sets the 2fa code in protonpass, then the applications become unusable if you uninstall and reinstall them. The same goes for proton on the Internet, it's unusable. I think they know all about this at proton... I hope for their sake

Graphite

Staying on Topic!
OP:

L8437 What are people's thoughts? I've been using keepass for a long time and I like the idea of it being offline and the magic keyboard too

But proton pass does look good too

Keepass and ProtonPass are two very different things. One's an app, the other a service.
I think all cloud based password vaults should be avoided. The benefit of having automatic sync to all your devices is not worth it, and can often be the thing that pwns your entire life. It is much better just to do syncing manually or with a separate app that syncs directly like syncthing.

Graphite

[deleted] Google manager is also encrypted and free with 2fa

For Google Password Manager, is the password and 2FA token different / separate from your Google account?

What happens if Google is legally compelled to hand over your entire Google account to LEA? I know the password vault is on the device, and E2EE. But can't Google perform a 2FA reset or add new keys to your account? They can also reset your Google account password. At that point, LEA can sync a password database, right? LastPass, on the other hand, at least can't reset a master password.
There is a lot of false sense of security with 2FA and password managers. If the provider (say Google or Lastpass) has the ability to reset your 2FA token, then your passwords are not really as secure as you think. At that point, only the "master password" is protecting your password database. But does Google Password Manager have a separate master password, or can they just reset your account password? If it were really secure with E2EE that Google itself can't access/change, then a Google account password reset or 2FA reset would invalidate existing password vaults, locking out the user (which is actually a good thing) unless they have their recovery codes. Let me know if this is how Google works.

[deleted]

Graphite Google implements fido keys much better than proton... If you set APP in your Google account, even Google can't open your account, unless there's a flaw in the fido protocol, which I highly doubt.

Graphite

[deleted] I've just tested the application

Oh, you meant the Android app, not the apps provided by Proton, which does support FIDO keys.
I guess they would have to open a browser webview to communicate with the hardware key. The benefit of FIDO over OTP as 2FA, is primarily phishing resistance, which wouldn't matter when using a native app anyway.

[deleted] Google implements fido keys much better than proton

Google, having deep integration with Android phones, would of course want to make security keys work within the non-web apps. Does this require Google Play Services? If so, that's a deal breaker for many.

[deleted] If someone sets all their passwords in protonpass, and sets the 2fa code in protonpass, then the applications become unusable if you uninstall and reinstall them

I don't understand what you are trying to do.

[deleted] If you set APP in your Google account, even Google can't open your account, unless there's a flaw in the fido protocol, which I highly doubt.

Are you saying you've tried Google Account recovery? Google does have the ability to reset/turn off 2FA.
If you want to test this. See if you can reset your Google Account without 2FA using a recovery email. If it is possible... then Google can absolutely access your account.

Graphite

Graphite Oh, you meant the Android app, not the ~~apps~~ services provided by Proton, which does support FIDO keys. I misunderstood your claim.
I guess they would have to open a browser webview to communicate with the hardware key. The benefit of FIDO over OTP as 2FA, is primarily phishing resistance, which wouldn't matter when using a native app anyway.

Proper E2EE where the cloud service provider can't even access the data:

This type of encryption makes it impossible for anyone to access your information besides you and the people you share it with. Whether you’re using our encrypted email service, our encrypted file storage service, or any of our other services, your data is encrypted on your device before it reaches our servers, meaning not even we can access your data.

This is good for your privacy but can make data recovery difficult if you forget your password. Most other services can restore your data to your account because they can easily access it whenever they want. This isn’t an option. Any recovery system we use must maintain your privacy, which means we must develop recovery methods that are compatible with end-to-end encryption and prevent our servers from ever having access to your information. This is an additional difficulty that most other online services don’t need to worry about, but we view it as an integral part of building an internet where privacy is the default.

Making it possible to recover data if you forget your password is one of the toughest technical challenges presented by our use of end-to-end encryption, and we had to develop several innovative solutions. We rolled these technologies out some time ago, but many people have asked us how they work, so today we’re explaining how we enable data recovery with end-to-end encryption.

I have not used Google in years. But as far as I remember, account recovery was possible without losing data. My questions that I still await an answer:
1) Can you recover your Google account with it's historical data (email, files, passwords, etc.), without backup codes and 2FA hardware token? Such as with a recovery email address, phone number, or security questions?
2) Can you reset or remove a 2FA from your account without losing existing data?
3) Does Google Password Manager require a SEPARATE master password for the password vault? Such that they have NO POSSIBLE RECOVERY METHOD?

Even if it's Google's policy to not allow normal access your account without 2FA, if these recovery methods exists... then Google does NOT use 2FA or even your account password, as part of the encryption of your data.
Contrast with Proton, which does not have these recovery methods. Or contrast with Keepass, which can encrypt the database with both a password, and 2FA (yubikey HMAC). And compare/contrast with LastPass, which cannot recovery your master password, but can reset/remove your 2FA token.

Let me know when you are able to test these recovery options on Google's Password Manager. Thanks.

[deleted]

you can't retrieve your proton account if 2fa is enabled in protonpass. I think it's a flaw (not related to security) if someone who knows about it can explain it. I think it's called a UI flaw.

Graphite

[deleted]

From what I understand, if you set 2FA in ProtonPass, then your database actually uses it as part of the encryption. So deleting/removing it, will permanently lock you out. That's for security.
Have you tested Google's recovery yet? Still curious about the 3 questions above.

[deleted]

Graphite I use advance protection program on Google. I have no recovery method except my fido keys.

Graphite

[deleted] I have no recovery method except my fido keys.

Yes you do
They will do a manual ID verification which takes a few days.
https://support.google.com/accounts/answer/7539956?hl=en#zippy=%2Cwhat-happens-if-i-lose-my-security-key

This means Google has access to your data.

GrapheneLover

Graphite That's correct, as well as Google still allows you to reset with alternative email address and if your account was very old they still allow you to answer your Security Questions which were setup prior to 2012 or so. There's ways to reset a Google account even without the alternative email address so the bottom line is that its not truly end to end encrypted and I can confirm once you reset the Google Account you can access all of the same Google Passwords as well as the 2FA backed up codes since the new release recently.

Which means KeePass and others are much better for Password Managers which the serious players already knew anyways.

[deleted]

Graphite With the PPA, no recovery is possible... I tested with a dummy account of my own, and even without PPA, if you don't set up a recovery method you can't recover your account. Again, I tested on my own. Thank you for not telling misinformation

Graphite

GrapheneLover I can confirm

Thanks for confirming.

GrapheneLover its not truly end to end encrypted

It's still E2EE. Just that people misunderstand what that means. It's still good protection against hackers, but since it's encryption where the company controls the keys, it does nothing to protect against government, law enforcement, or the company itself.

It's a classic false sense of security, when you don't consider all likely threats. I used to believe Google's "Don't be Evil" slogan. When I found out they were scraping through my emails looking at my 3rd party store receipts to generate a profile of purchase history, I left and never looked back.

Graphite

[deleted] With the PPA, no recovery is possible

I gave you the link. You didn't try the form. It takes several days since they perform manual verification
The recovery is possible, despite individual failing.

Your inability to go through the process, is not proof that there is no process. Google's own documentation is proof. Besides, they don't even make the claim that "not even they can access your data". This is the difference between Google and private password managers like LastPass and ProtonPass.

[deleted]

Graphite I'll say it one last time because it's complicated for some people, if you've secured your account with the PPA and you lose your keys, you won't be able to recover your account, and Google tells you this immediately as soon as you try to log in without your keys. Look what happened to me last year!

GrapheneLover

Graphite in a sense I guess but true end to end encrypted should not be resettable in my book. If you can just reset the password to an account and get all of the data back it should not be classified as end to end encrypted.

[deleted]

Graphite If you set up encryption with the phone's password, Google has no keys. If you set up encryption with a passphrase, Google has no encryption keys either.

« Previous Page