Yes that's why I said:
If you already use Proton Pass, I think I'd recommend Ente Auth instead
artyom
joined 2 months ago
Proton Pass specifically, is not problematic. The problematic part is just having both passwords and TOTP keys in the same vault (basket).
Am I wrong in thinking that it depends on the specific service?
Yes. The concern is that if your account for your password manager is compromised, your passwords and 2FA tokens are both compromised. Whereas if you kept your 2FA in a different account, only your passwords are compromised. All services work this way. Proton has suggested creating a second account for your 2FA codes, even though it violates their own ToS.
For example, your e-mail address (if not using a custom domain) cannot be changed overnight, and it will probably take years to move everything over. Think carefully about where you put your e-mail!
That's why I tell everyone I know to get their own domain. Not just for email, but for a variety of things. If nothing else, I run a Linkstack that has all of my personal information, so when people ask me for it, I send them there, and let them contact me however they wish. I've actually managed to get it to the top of the Google search results somehow so people can just Google me and easily find it as well. It grants you a whole lot of autonomy over your digital identity.
Changing your email host is just a matter of a simple DNS config change. When I changed from Google it was indeed a nightmare. Several companies I realized don't even have mechanisms to change your email address because it is actually your identity in their system. I had to delete my account and open a new one. They had no other mechanism. Which is absurd. Other companies would send some things to my new email and other (important) things would continue to be sent to my old email, for reasons no one would explain to me. They are simply not technologically equipped to handle this sort of change. All in all it took about a year before I was comfortable deleting my Google account.
Correct. However it's worth noting that passwords are almost always compromised server-side. So 2FA is far more a mitigation of data breaches from the provider, rather than your password manager being breached.
If you can't self-host / switch to a different server if they enshittify due to being closed source, then it's not "open source" nor "portable"
That's....just wrong.
That's not what open source means.
You can export everything and anything. And if you use your own domain you can take that with you as well.
I don't see how that's a SimpleX problem. People like that are obviously going to gravitate to "free" platforms where they're free to be shitheads. There's no administrative oversight. That's what you want.
...you mean SMTP?
Everything in Proton is
- Open source
- Portable
Ehhhh but they already have this in Proton Pass?
E: found this in the FAQ
Proton Pass is a password manager designed to securely generate and store strong passwords, and protect your digital identity with features like email alises and dark web monitoring. It also includes an integrated authenticator that can store and autofill 2FA codes - but not the ones used to log in to your Proton account. Proton Authenticator is a standalone 2FA app that allows users to enable 2FA protection for their Proton account, it also allows users to store their 2FA codes separate from their passwords if they wish to do so.
If you already use Proton Pass, I think I'd recommend Ente Auth instead. That's what I use.
can be a little annoying
- Every modern car
You don't need to host the server, you just move your domain to a different provider. It's nothing more than a 3 minute DNS config change.