I’m using proton services and now the Pass password manager as well. I never let any managers save my bank data such as credit cards or login credentials being sort of afraid to.
Is this concern still valid? when using a manager like Proton Pass that has e2e encryption? what’s your opinion on holding bank data in managers like this?
I generally trust Proton products.
As a side note, you should never use any non e2e encrypted password manager.
As a rule of thumb, do not put all your eggs into one basket. No software is infallible and vulnerabilities can be uncovered and exploited in both open and closed sourced applications.
That’s being said, as long as you don’t store all information necessary for a successful login in your password manager, you should be fine.
So storing credentials for your bank account is fine, as long as it is also protected by MFA and you do not use the same password manager for handling that.
You can store PIN codes from your debit cards in the password manager as long as you do not store card number / expiration / CVV2 there too.
Personally, I keep passwords in a password manager, MFA tokens in a separate authenticator, MFA recovery codes go to FIPS 140-2 certified encrypted USB sticks (3 separate copies). I do store debit card PIN codes in my password manager, but only alongside the last 4 digits of the card number.
This is also largely based on threat model as something is better than nothing. I don’t believe the average person is going to, much less successfully, implement full layered security.
If more people could just:
- Use long passphrases
- Never reuse passwords for more than one service
- Use an encrypted password manager
- Enable 2FA (Preferability via app not SMS)
It would solve a large majority of the issues. It’s important to note that most stolen logins are actually from data breaches and malware. Before Proton Pass I stored everything in KeePass, we’re talking many years. I have yet to ever have unauthorized activity or login on any of my accounts, I’ve even been lucky not to show up on any data breaches.
Sure, I got a “FIPS 140-2 certified encrypted USB” which really can just be done with VeraCrypt for FREE (Supply Chain Prevention), used for archive backups, but otherwise just not clicking on links in random emails or visiting sketchy websites.
I agree with you on most of the points. Some security is better than nothing. More security is better than less, layers and all.
Regarding data breaches and malware, and threat models in general. We should not forget phishing too. People voluntarily entering their credentials on a website masquerading as their bank etc.
With all of that, having your credentials split over multiple applications and devices actually saves you from an endpoint compromise and evil maid attacks, at least in a sense of limiting the fallout.
Regarding VeraCrypt and “FREE”. While it is, again, better than nothing, VeraCrypt is fiddly, not always works consistently on all operating systems (I look at you, MacOS), and is susceptible to key logging. I prefer actual certified hardware with physical keypads instead. It is not free and has its own downsides, but it is just something I find more appealing.
This. Saving 2FA codes in password managers is one of the dumbest trends in security for sure. Like, ok, take the 2 out of 2FA, great job T_T
It all depends on your personal balance of risk vs convenience.
Your card details should be secure provided you follow standard security practices. So if you tire of manually inputting them all the time then go ahead.
If there ever is a vulnerability disclosed you can cancel your cards through your provider and have them re-issued. Finally, if you ever come across fraudulent purchases you can dispute them.
that is a true concern. however in this case I have a good feature provided by my bank provider, where I can create a virtual-only card, to which I send a fixed balance amount, like $100 and that is all that card have - even tho my account may be at $1000. so given this and the e2e encryption, I guess its probably safe to store - at least the virtual cards
It‘s e2ee and open source, so I‘d be not concerned regarding Proton‘s side.
Keep your Account safe, your passwords long and complex and use 2FA sort of things and you should be fine, I‘d say
I have no question on it’s security, I’ve used their services for years and never had any issues. It’s well thought out, designed and there is a full article on their website about the security of pass in particular.
Just be sure to use settings such as setting a pin to access the app/extension, not a bad idea to consider device security as well based on your threat model.
