That’s what I would say too, need to slim the herd before the 1st round of interviews.

For the majority of connections you can. Some connections bypass your VPN and there is nothing you can do about it. Its been reported to Google by multiple groups, including Mullvad but Google refuses to fix this.

Lol OK. Seems like its to much for you to consider you poorly communicated your point anyway.

deleted by creator

I think if people read that comment and think they are being called dumb, that’s completely on them and probably a good time to look themselves in the mirror.

Nothing wrong with the design. Its literally just making thing easier at no cost to the user.

deleted by creator

“Basically then it degrades to a very strong password that can’t easily be phished.”

I’m disagreeing with this, in that you are still (hopefully) using 2FA with your vault. Therefore whatever your accessing in that vault whether its a TOTP token or a password is still protected by MFA and not just a “very strong password”.

Putting a TOTP token inside a vault protected by a strong password and another form of authentication is no less secure then having it be separate from the vault.

Not really. You still should be using MFA to access the vault itself before you can even get to the Token.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

This seems more like a user issue then a security issue. If you are avoiding this feature because you have to idiot proof your security against yourself, your probably going to be compromised at some point anyway.

As for your example, this seems easily avoidable by

1. just have the vault timeout be set low (1 minute) and to logout.
2. Not leaving your password manager unlocked and unattended (wtf are you thinking lol)

Seems a bit odd to roll this out without having the ability to import from other authenticators (at least on android). Feels like a pretty basic feature.

Why do you think its not safe? If you trust bitwarden to protect your passwords what exactly do you think is going to happen?

Even if bitwarden is compromised in someway in the future, all that data is still encrypted and would still be highly unlikely to actually be accessed in any usable form.

The only risk is if you use a bad master password. Which is the biggest risk of using a password manager regardless.

You seem to be avoiding the fact component, which is they have proven through audits, yearly, their security is what you would want in a service that holds your data and have decided to instead rely on one instance (in 10 years of that service being around), that has nothing to do with the issue and your own feeling of how companies operate (FUD).

My point is Proton did something every legit business would do.

If your threat model is such that governments are going after you, you should be aware enough to not create an email with an IP that identifies you. That email issue was bad opsec not some specific problem with Proton.

Not every concern is but ones where concern is based solely on fear and hypotheticals are. This all eggs in one basket line of reasoning is FUD and has no real bearing in reality.

Even this email issue, it really has nothing to do with if you should trust proton in terms of OPs post. If you really believe Proton is going to sell you out, you wouldn’t use them anyway and Proton following the laws is something every legit business is going to do, not something specific to Proton. If you have the threat model of an activist you need to careful about your opsec as i explained in a previous comment.

Proton can see my traffic. I already know that. Any vpn provider you use could. Its not that i trust proton implicitly its that i trust them more then my ISP that would be able to see it if i did not use a vpn. Couple that with their record of audits and im not sure what else you could expect from them.

It doesn’t matter what is being discussed, if its about proton the email incident gets brought up.

Here is the deal. No major company is going to break the law for its users. Had the activist been using proton vpn to create and access their email, Proton would not have had the info they were forced to give up. The takeaway from the story is bad opsec is usually what gets people caught whether its activists or hackers.

Whether you use Proton or someone else you will need to trust that service. If you don’t trust them, don’t use them. Its that simple, no need for conjured up FUD excuses.

If all your eggs are encrypted, having those eggs in one basket or five doesn’t matter from a security perspective. Its the same reason you wouldn’t split up your passwords to multiple password managers.

That being said the much more likely scenario is that at some point in your lifetime Protons values change (either by being purchased or new leadership) and you have to move on. That’s why, regardless of how good a providers security is, its good to have backups elsewhere.

“All security is porous” is pure FUD reasoning and, completely disregards the security audits Proton does to make sure its not anything like LastPass.

Using LastPass as a strawman is not a compelling argument.

OP and You are also assuming if Proton was breached that it means all the user encrypted data would somehow be available to the malicious party which is also extremely unlikely.