Published

Proton Pass as 1Password alternative?

In the days before Christmas 1Password had a pretty stupid issue which broke syntax highlighting on all sites using PrismJS. As my 1Password subscription also runs out soon, this nudged me to look at alternatives.

I'd love to use a European provider, or perhaps even self-host my own solution, and I can't help but think that that 1Password issue is a symptom of sloppy engineering. And while I don't have specific doubts about 1Password's security standards, it's still sort of concerning that 1Password apparently just dumps random npm.js dependencies in its extension, which has all my credentials. The NPM ecosystem doesn't have a stellar security track record after all.

So I took a look at Proton Pass. Unfortunately it didn't make the cut, and can't (yet) replace 1Password for me. But that's probably just because I've been using 1Password for a long time (I think it's almost ten years by now), and gotten used to many of 1Password's features. Had I started fresh, I'd quite likely kept using Proton Pass, as it's a pretty good password manager, and the rest of the Proton product suite is pretty cool too. I'll likely take another look at Proton Pass in a year or two, and since it's pretty much impossible to find good in-depth technical comparisons of different password managers, I figured I'd keep note of my testing here.

I think I'll also look at self-hosting Bitwarden with vaultwarden, but since that's a bit more effort to set up, I haven't had the time yet. Maybe I'll have another blog post about this soonish.

What I like

Proton, the company behind Proton Pass, is a strictly European provider with its own servers, i.e. not AWS or Azure like apparently everyone else. Since we can't really trust overseas anymore these days, that's a major point for me. I also appreciate that Proton's major shareholder is a non-profit foundation, and any kind of venture capital.

Proton also has great customer service which responded in less than a day even around Christmas and New Year holidays, and was really helpful and supportive.

Proton Pass itself has native clients for all platforms I care for (Linux, Windows, iOS, Android). The apps look pretty good, and are straight-forward to use. It also features CLI which, despite still being labelled as Beta, appears pretty complete and solid, and already includes SSH support. It can run as SSH agent pre-loaded with all SSH keys from select vaults, and it can also load SSH keys from select vaults into a running SSH agent. It's pretty easy to script, and while I didn't test all of it, it looks like it provides comprehensive access to all features of Proton Pass.

And last but not least its family plan also considerably cheaper than 1Password, and can be combined with subscriptions for other proton products[1].

What I miss

Importing data from 1password

I started with an import of all my 1Password vaults, and quickly noticed that the import leaves quite a bit to be desired.

Items with lots of custom fields and sections sometimes get mangled during import; the imported items have duplicated fields, and sometimes sections with empty titles. The latter is particularly annoying: Proton Pass doesn't actually allow sections with empty titles, so when you edit the item later on the "Save" button is disabled, with no clear indication or error message. Only a tiny red error icon in empty space points out a missing section title, and it took me a while to figure out that I had to put in section titles to be able to save my edits to the item.

But worse, the import actually lost some data in the process. For a start, none of my passkeys made it over, thought I'm in fact no sure whether 1Password actually exports these. But it definitely does export plain "Document" entries, and these got lost too: Proton Pass imported these as empty items, with correct title, but no attachment. In other words, it lost the actual relevant content of the item, and without any warning in fact. Since we keep quite a lot of such documents in our shared vaults (notably copies of important legal documents such as birth certificates, deeds of possession, etc.), that was a major disappointment.

Tags

The import also lost all my tags, simply because Proton Pass doesn't actually support any tags, which was another major disappointment. I use tags a lot to keep track of groups of items across vaults. For instance, I have tags which track any kind of account that needs a paid subscription, i.e. which costs money, or any kind of account that has purchased digital content attached (e.g. Steam or PSN for games, or Adobe for some Ebooks, etc.). I also have tags which track what data an account stores, notably addresses and payment data such as bank accounts or credit cards.

I'd really hate to loose these tags, because they turned out to be very helpful a couple of times: when I changed my bank account a few years ago, having a complete list of every paid account that has my credit card or bank account number was really convenient. As another example, we're about to relocate soon, so I'm really happy that by means of these tags I have a complete list of every important account that has my postal address.

Per-device registration

Proton Pass secures the vault data with only a single master password. That's no concern if you actually pick a strong master password, but alas, non-technical people (e.g. all my family save me) have quite a different understanding of what's a strong password. As such, I very much appreciate that 1password has two distinct secrets to protect vaults: a strong random secret key which is kept offline (we have printed copies in our strongbox at home) and only needed once every time a new client is registered, and the master password which routinely unlocks the vault in everyday use of the desktop client and apps. The second random secret is an effective companion to somewhat weaker passwords, and makes brute force attacks against the password impossible.

I know that it probably makes not much of a difference effectively, since even a weaker password combined with the usual server-side countermeasures against brute forcing (contemporary PBKDFs, rate-limiting, etc.) should hold up, but I still feel a lot safer and sleep better knowing that with 1Password it's factually impossible to gain access to vault items by brute-forcing passwords.

Other nuisances

Besides these three major points, there are also a few minor nuisances.

Proton Pass won't let you add custom icons to entries[2]; I've got a lot of custom non-login entries in your vault, so my entire vault just had the generic grey pliers icon all over the place. I might just as well not have any icons at all.

Proton Pass doesn't support plain Documents similar to 1Password; to store document I'd have to create an empty item with a single attachment which is a bit clumsy.

The browser extensions and the CLI aren't linked to the desktop app like with 1Password, where unlocking the desktop app automatically unlocks the CLI and browser extensions as well. So depending on my current tasks I ended up repeatedly unlocking Proton Pass three or more times.

The mobile app has a biometric unlock, and the browser extension can unlock with a short PIN, but neither seems to request the actual password again periodically. Probably not that relevant for security, but having to type the actual master password every once in a while is also a good way to make sure people don't forget it.

The desktop app downloads don't appear to be cryptographically signed, which is probably not too relevant either, but still feels like a strange oversight for a security-minded app.

Summary

I'd really like to use Proton Pass, but I definitely miss a better import from 1Password, tags to organize my vault items, and a two-level security with explicit client registration.

These three issues rule out 1Password for me; all the other things above are mostly minor nuisances which I could easily get used to. I might have used Proton Pass nonetheless in combination with the whole Proton suite, if only Proton Drive had a proper Linux client.

Proton Pass is a good password manager in and by itself, the CLI is great, and it has bonus points for being sort of not-for-profit and Europe-based. Let's see how things evolve; perhaps I'll take another look at Proton Pass in a year or two.

  1. Incidentally, if Proton Drive had a convenient Linux desktop client, I might actually have subscribed to the whole Proton Suite and kept using Proton Pass despite its shortcomings, because the Proton Suite as a whole also has some pretty convincing features on its own. But alas, Proton Drive has no Linux client yet, and all this rclone mount and rclone bisync business is not really great. ↩︎

  2. Curiously Bitwarden doesn't appear to support custom icons either, while still fetching Favicons from websites. I really can't understand why. If you're already storing (fav)icons along with entries, and showing them in place of standard icons, how hard can it be to just have a small image picker to edit these icons? ↩︎