Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Proton Pass Multi-Platform Password Manager Launches on macOS
- Thread starter MacRumors
- Start date
- Sort by reaction score
Drivers licenses in less than 10% of US states.
There has been no mention of Passports. If you have reference, please provide link
Did you read the detailed report 1Password issued after the incident? No system can be 100% foolproof, but I've had excellent results with 1Password over 16 years.Ahhh, really?
1Password discloses security incident linked to Okta breach
1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.www.bleepingcomputer.com
A few years ago, iCloud keychain had a bizarre syncing error from a MacOS/iOS upgrade and all my passwords were gone. Apple support was utterly unhelpful and I had to spend a long time recovering everything from backups and lost some important ones that were hard to recover. After that, I signed up for 1password and have never looked back.
Sometimes paying for something yields a better and more reliable experience and I realized my time just wasn't worth it.
Separate Vaults and the ability to generate passwords cross platform and across browsers is a big plus as well if that's useful to you, and store different types of information cross platform as well. Sharing passwords also was improved.
Those abilities aren't useful to everyone, but with my life and work they were worth it to me.
Somehow trusting my passwords to a company (i.e., Google) that helps the Communist Chinese spy on their people and others, does not seem like a smart thing to do.
My bad. In my defense, Switzerland doesn’t have a c or an h in it.
You got me. No c or h used to spell Switzerland so it threw me.
Ooh, ooh, I know this one. My expensive trip through Switzerland is paying off.
CH stands for Confoederatio Helevetica. Helvetica was the Latin name for the region or people (I forget which) and so it translates to Helvetic Confederation, or Swiss Confederation.
I'll stick to my version - CH is short for chocolate which the Swiss are renown for.
Likely a blurb written by Marketing, but you get the idea: of course it's no encryption, but a cryptographic function used for password hashing, and they offer an offline/local mode where the hashes and other data are stored on-device, needing no remote access and exposing no data to misty clouds. Existence of a local mode is the first thing you check when you want a serious password manager, as well as no cloud syncs which are easy targets for agencies. Also, Argon2 (esp. Argon2id flavor) is well-studied and not so bad. First, password hashes were time-intensive (like 1 million hash iterations per password), but it was a benediction for state agencies, since they could afford the time, energy and parallelism while casual hackers couldn't. Then came memory-intensive hashes like Scrypt (iirc used by ethereum), which are more challenging for agencies since password attacks need huge amounts of memory, and later again came the Argon class which is both time and memory intensive and doesn't give the attackers easy time-memory tradeoffs (where you can attack using more of one and less of the other). The original Argon had flaws, hence Argon2 and its most secure flavor Argon2id (don't know which one Proton is using). Looking for "Argon2 vs Scrypt", here's a nice blog page not written by Marketing: https://stytch.com/blog/argon2-vs-bcrypt-vs-scrypt/
As for Proton, their founders came from CERN (the european particles research lab) but they're totally private and unrelated now. They comply to Swiss law (of course) and must provide means to track users, as was made clear some time ago. They seem to chase Apple users, charging high prices and changing their protonmail.com to proton.me
In their language it does: Schweiz.
But the CH really comes from the Latin name.I'm already somewhat familiar with Proton, and I understand the crypto.
This seems to me to be a recurring failure of analysis in these discussions.
Relying on physical security is a bad idea. Much better to assume that your storage is accessible to state-level actors, or really any motivated adversary. The whole point of really good encryption is that it shouldn't matter.
The biggest issue I see with 1P is that they require you to use their javascript client, at least for a few functions. That means that if it is compromised (or if, in the future, 1p becomes evil) they can steal your password there. Of course if they're evil, they can also steal your password directly from their app, but the javascript is a much bigger target. You're also exposed to evil in the web browser itself.
I will admit that this makes me uncomfortable, but so far the tradeoff has been worth making. If I were just picking a password manager for myself, though, instead of my whole family, I would pick one that did not have this flaw.
This seems to me to be a recurring failure of analysis in these discussions.
Relying on physical security is a bad idea. Much better to assume that your storage is accessible to state-level actors, or really any motivated adversary. The whole point of really good encryption is that it shouldn't matter.
The biggest issue I see with 1P is that they require you to use their javascript client, at least for a few functions. That means that if it is compromised (or if, in the future, 1p becomes evil) they can steal your password there. Of course if they're evil, they can also steal your password directly from their app, but the javascript is a much bigger target. You're also exposed to evil in the web browser itself.
I will admit that this makes me uncomfortable, but so far the tradeoff has been worth making. If I were just picking a password manager for myself, though, instead of my whole family, I would pick one that did not have this flaw.
Ice now requires you give a donation, even if it's zero dollars in order to download it from gumroad. I cannot download it from github.