this post was submitted on 16 Aug 2023
19 points (100.0% liked)

Proton

5065 readers
1 users here now

Empowering you to choose a better internet where privacy is the default. Protect yourself online with Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.

Proton Mail is the world's largest secure email provider. Swiss, end-to-end encrypted, private, and free.

Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.

Proton Calendar is the world's first end-to-end encrypted calendar that allows you to keep your life private.

Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It's open source, publicly audited, and Swiss-based.

Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.

SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.

founded 1 year ago
MODERATORS
 

I’m using proton services and now the Pass password manager as well. I never let any managers save my bank data such as credit cards or login credentials being sort of afraid to.

Is this concern still valid? when using a manager like Proton Pass that has e2e encryption? what’s your opinion on holding bank data in managers like this?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (11 children)

As a rule of thumb, do not put all your eggs into one basket. No software is infallible and vulnerabilities can be uncovered and exploited in both open and closed sourced applications.

That’s being said, as long as you don’t store all information necessary for a successful login in your password manager, you should be fine.

So storing credentials for your bank account is fine, as long as it is also protected by MFA and you do not use the same password manager for handling that.

You can store PIN codes from your debit cards in the password manager as long as you do not store card number / expiration / CVV2 there too.

Personally, I keep passwords in a password manager, MFA tokens in a separate authenticator, MFA recovery codes go to FIPS 140-2 certified encrypted USB sticks (3 separate copies). I do store debit card PIN codes in my password manager, but only alongside the last 4 digits of the card number.

[–] prwnr 1 points 1 year ago (7 children)

that are good suggestions. my bank accounts all require two steps authentications, with the second one being mostly auth via mobile app, so that part is enforced and always keeps the account secured better.

I do have one concern with the Proton account itself, as you wrote "no all eggs in one basket" rule of thumb. With the Pass, I have the 2FA integrated together with passwords (not for bank accounts) - a little risk in here with a gain on convenience.

Though I certainly do not store my Proton password in it, keeping it memorable and more than 40 characters long makes me feel safe. Im not sure what 2FA app to use for the Proton tho, would you recommend anything? I cannot use a physical key, as my devices have different USB connectors and I cannot have a one key for all.

[–] [email protected] 2 points 1 year ago (5 children)

I personally use Aegis for Android (https://getaegis.app/) and FreeOTP for iOS (https://apps.apple.com/us/app/freeotp-authenticator/id872559395) both open source.

YubiKey makes several models for physical keys but I could understand not wanting it. I use NFC for my mobile device and USB-C on my computers.

[–] prwnr 2 points 1 year ago (1 children)

that are two separate keys? or that's one key that has USB + NFC on it? cause that would be kinda good, as all my devices have USB except for the iPhone, but it has NFC so that would be sufficient enough

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

It's one key with NFC for mobile devices plus a port of your choice. I'd check out there main site for this model, https://www.yubico.com/product/yubikey-5-series/yubikey-5c-nfc/

It is kinda pricey but they work well and they are well built, very easy for setup and use. I've almost always had better luck finding it a bit cheaper on Amazon.

[–] prwnr 1 points 1 year ago (1 children)

ok, I see some on my country sites with a reasonable price. thanks for the tips! if you don't mind I would like to ask one more question in regards to the keys.

How does they work in pairs? Like, I see an auction where I can buy one key separately, but to dont get locked out of account I would rather want to buy two. Should I look for auction with bundle of two? or I can set up two separate keys to be used for the same authorizaion?

[–] [email protected] 1 points 1 year ago (1 children)

Yes, it is recommended to purchase 2. It literally makes them identical in case you lose your primary. 1 in a safe and 1 on your key ring kinda thing.

Some websites may not allow recovery if you lose your key, so yes a 2nd one is useful if possible. And yes, you would be able to use both interchangeably.

[–] prwnr 2 points 1 year ago

thanks for your help! gotta get them then for my Proton account to keep it safe and handle all the other auths with passwords and TOTPs I guess.

load more comments (3 replies)
load more comments (4 replies)
load more comments (7 replies)