Password Managers

Since the original article below was first published in 2014, we have made many improvements to how ProtonMail supports password managers. ProtonMail now supports three of the most popular password managers: LastPass, KeePass, and 1Password on both the webmail and our secure email mobile apps for iOS and Android.

To learn more about how to use these three password managers with ProtonMail, please visit the following article on ProtonMail Password Managers.

We highly recommend using a password manager as having a strong login and mailbox password is critical to securing your ProtonMail account.

Outdated post from August 2014 is copied below:

UPDATE: A fix has been put in place for LastPass. If you continue to experience problems, please let us know in the comments!

Many users have reported issues with ProtonMail and password managers such as LastPass. At the moment we are not fully compatible with these password managers due to the nature of our secure 2 password system. This post will outline why that’s the case and how we plan to help improve compatibility in the future.

Why it doesn’t work

ProtonMail uses 2 passwords to secure your account. The first password is used to authenticate you and log you into our system. The second password is only seen by you and is used to encrypt and decrypt your messages. This is a relatively new concept, and 99% of websites on the internet use just 1 password for logging in. Because of this, most password managers such as LastPass simply don’t work. In some cases, passwords are overridden by these password managers and in some cases these passwords are lost entirely.

The Solution

The temporary solution is to not use password managers during our Beta. However, some of us at ProtonMail, myself included enjoy the convenience these password managers provide, especially the ability to generate long random passwords and save them for you. Because of this, it’s our goal to fix this issue if possible. We have a potential solution to fix this that involves some creative coding but it should do the trick and we hope to have this launched in the next 2 weeks.

 

About the Author

Jason Stockman

Jason is the Co-Founder of ProtonMail. He works on building ProtonMail's webmail interface and front-end encryption. Jason has 10+ years experience building websites and applications.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

58 comments on “Password Managers

  • My solution is to use the Password manager for the inbox log-in . Using the longer more complex password for the inbox; this allows for a simpler, less complex password that you can remember for the account login.
    I Use Lastpass in the manner i described and it works well . Plus its safer in the event that whatever password manager you use gets compromised, you have is something close to 2FA.

    Reply
  • Plus its safer in the event that whatever password manager you use gets compromised, you have something close to 2FA.

    Reply
    • Saying something like that without information to back up your declaration is basically wasting your time to type it in, and ours to read it. I’ve been using LP for probably four or five years and am happy with it. It uses PEE/PIE (look it up) for password encryption, so I don’t see anything “unsafe” about it. Please elaborate…

      Reply
    • Not true.
      A good password manager, if used properly, is extremely safe. Much safer than what 99.9% of the people out there are doing for sure.

      Reply
    • Password managers are still less unsafe than using the same one or two passwords for everything, which is what >90% of people do.

      Reply
    • To counter your statement on password managers being very unsafe. I use Dashlane which never stores the encryption keys on its servers. I have nearly 100 different passwords for all my accounts. Nearly all of the passwords are 20 or more characters of random goo. My most secure is over 60 characters. Having had my old Facebook password hacked my new password would be very difficult to type in even if printed on a piece of paper in front of you. If password managers are unsafe, then whats better? Post it notes? MS Excel? Or use the same password everywhere? Not all password managers are equal, I worry if the app offers a password process, as the only way to do this is to store the encryption keys on the servers, hence is why Lasspass got hacked. Either Roboform or Dashlane store the keys. I will stick with Dashlane as it offers me a secure place to store all my very long, randomized, different passwords.

      Reply
    • I use Keepass and store it locally. I can also upload it to my email file manager, which is encrypted end to end and download to other computers/devices.

      Reply
  • I’ve been using 1Password without any problems, you just have two entries, one for the Login and another for Decrypt, works well.

    Per day I have to select 1password to enter my Login, then for reset of day it only asks for Decrypt, which is in 1Password.

    Reply
    • I use the same solution and it works great for me. 2 entries in 1Password. Once for the login and the other to decrypt the mailbox. No issues!

      Reply
      • I use Lastpass without any issues. Like the posts previous, I have two entries, one for logging in and the other for dycrypting the mailbox. As a side note, as far as security goes, I use the yubikey for 2FA to gain access to my Lastpass credentialsYubico Site.

        Reply
  • Interesting. Thank you for this precision.

    Here I use normally the browser’s built-in password manager for login then type myself the password (make it a phrase from a famous novel in my case) to decrypt my messages. There’s really nothing complicated to that. Perhaps is it worth recalling that security means a minimum of effort. I just cannot conceive relying on a gem such as ProtonMail and having all information stored a click away. Login is enough. Decryption password (or phrase) should always remain IMO in one’s best vault : his brains (or elsewhere than on a computer).

    Reply
    • The mixed approach is a good idea (one password in password manager, one elsewhere.)

      However I’d argue that your approach has some flaws. Entire books have been written on the weaknesses of brain vaults. Also, using phrases from a book makes it vulnerable to dictionary attacks.

      Finally, if you use 2 factor auth in a good password manager, your information will not just be “stored a click away.” Proper client side encryption and 2FA offer very high security.

      Reply
  • LastPass does work with ProtonMail, you just have to create another page in your Vault. For example, in addition to the standard ProtonMail registration for the root URL, I also have a registration named “ProtonMail Unlock”, with the “https://protonmail.com/locked” URL. This way, LastPass can fill that information in for me on the main screen, but I still have the convenience of it remembering my mailbox password for me too. The two-password thing was slightly problematic at first, but once you add a second site in your vault it’s not an issue anymore.

    Reply
  • Lastpass seems to work. I’ve setup two passwords for the site…one for the site and one for the mailbox. Turn off autologin or autofill. Also be careful, if you change a password that you update the correct one, if not , one will be lost. I’ve labeled one as website the other as mailbox to keep them separate. There are ways you can probably make it even more automated by specifying values for specific fields and eliminate confusion when updating passwords, but I haven’t attempt that yet. Other financial sites have similar two step authentication and I’ve used the same solution.

    Reply
  • Hi there
    i would suggest also not to enable any LastPass options and to keep one of this passwords avay from any Password-managers or password-Wallet tools.
    The reason is that LastPass but also many other of them collects and save all our passwords on NONSECURE Server and that means it is visible for other.

    You should explain to every ProtonMail User to keep this encyption Password (2nd Password) outside of such Tools.

    Thanks, regards
    Srdjan

    Reply
    • Lastpass have proven a million times over that their servers are extremely secure. Also, Passwords are encrypted client side and saved only in encrypted form on their servers.
      While nothing is 100% safe and Lastpass can possibly be faulted for not being open source, stating that Lastpass servers are not secure is spreading misinformation.

      That said, keeping one password in a good password manager and one password elsewhere is probably the best solution.

      Reply
  • The key to LastPass is to save the passwords in two separate entries, then you can choose which one to use on each screen. Works fine for me.

    Reply
  • Don’t know why anyone hasn’t posted about this, but it’s rather easy to get working with LastPass. All you have to do is add another website entry for the mailbox page, but omit a username. My entries are called ProtonMail – First, and ProtonMail – Second. So when you go to fill in your info on the site with LastPass, you choose one saved entry for the first login, followed by the second for the mailbox login. Hope this helps someone.

    Reply
  • Hi All

    Great solution to private email in this new age of secure communication.

    I saw this blog post & thought to still give LastPass (LP) a go.
    I used LP to generate the first (Login) password & logged in.
    Then saved the site as New.
    I used LastPass to generate a more secure Mail Box password and saved this in the notes section of the login dialog.
    This was a bit clunky so after a few logins, so I went to the site info dialog Generated Password & updated the URL to the Locked page and discovered the Mail Box was already in the password field saved that with a unique name to differentiate it from the base login.
    I set both to not Auto Fill so they will not cross populate.
    I can now login with ease by just selecting the appropriate source on each page.

    Still looking forward to your solution once you get it sorted.

    Regards
    George

    Reply
  • The reason is that LastPass but also many other of them collects and save all our passwords on NONSECURE Server

    Do you have any support for that? LastPass says everything is encrypted on the client side and therefore stored encrypted on their servers. Do you have a particular reason to doubt this claim?

    Reply
  • RoboForm seems to work fine so far. It has a two step feature, that while requiring you to evoke two pass cards, does get the job done. Cheers, Al

    Reply
    • RoboForm is by FAR the best password manager I have ever used. Period. Logging in to your mail is as simple as it gets. Plus, everything is stored on your computer, heavily encrypted, and pass-phrase (NOT pass WORD) protected. Speaking of which, you should use a large, complicated pass-phrase for both logging in and decrypting. Mine is an entire paragraph, complete with capitals, special characters and punctuation.

      Reply
  • 1password does the trick. Save the two passwords as two entries. Click the first to log in, then using the browser plugin you’re one click away from decrypting your mail database.

    1password does allow you to sync through their servers or iCloud (not recommended of course), but they also allow you to sync through your local wifi.

    Regards, Ralph

    Reply
  • We had this issue with a site we were developing – by naming the different form fields differently behind the scenes, the password manager is able to keep them separate.
    Also, if you’re a LP user, in the “Edit form fields” box (just above “OK” when you edit a site’s user/pass information you can choose what password goes to what field on a site. Hope this is helpful.

    Reply
  • Srly? Why would a Protonmail-user want to use a password-manager? Does not compute. Do you also use iCloud or other “free storage”-solutions? Very, very naive.

    Store your sheit encrypted on usb-sticks or harddrives, not in clouds. Passwords are best stored in brain or on paper (like those black “My Internet Passwords”-notebooks that we laughed so hard at 10 years ago).

    Reply
    • There are extremely safe password managers out there. Some are open source, most offer 2FA and some offer the option not store anything in the cloud.

      Putting password managers on the same level as free, unencrypted cloud storage solution is a faulty comparison.

      Reply
  • I am so happy and grateful for your work! I’m all set up with my email and I’m wondering if protonmail will be available for iPhones or other mobile devices?
    Thank you so much!
    T

    Reply
  • Dear Jason,

    You are saying that you also enjoy the convenience password managers provide. May I ask which specific one you use? Thanks you in advance!

    Reply
  • IMHO the title of this article is not correct. It suggests that it should be ProtonMails concern to ensure compatibility with password managers. However, one could also suggest the more common alternative: that password managers should be compatible with ProtonMail. I think personally it’s very kind of the ProtonMail people to consider and try to help users with this issue, but I also think it’s not their assignment and/ or problem. Just as it’s not Googles, MicroSofts, GMX’s (or one of the many other email providers out there) concern. Or keeping login passwords safe for that matter…
    Furthermore, users might also research the issue a bit more thorough in stead of immediately posting compatability “demands” for their specific, no doubt unique configuration.

    Our 5 cents in this matter: we’ve absolutely no problem (including auto-type) to log into ProtonMail with KeePassX.

    Thanks for the brilliant service!

    Reply
  • Hello People!

    Lastpass works just fine with protonmail, all we need to do is to save the site and password as usual, when the site ask for your mailbox password all you have to do is to fill in you mailbox password and without pressing OK click on the lastpass icon and select Tools > Save All entered Data.

    A new pop up window will appear showing a field with your mailbox password in it, just click ok to save it.

    Now enjoy your protonmail.

    Chears!

    Wellington Uemura

    Reply
  • I have no issues using LastPass with Protonmail.

    Setup is easy:
    1. use LastPass for the login password
    2. In that same entry (of login password) save the Mailbox password in the field Notes
    3. From your browser LastPass extension choose the option “Copy Note”

    Reply
  • Any secure and free solution for mobile browsers? Here’s what I tried:

    1. Firefox built-in password manager doesn’t work for the second password.
    2. Chrome sync in insecure by default and it won’t save the second password anyway.
    3. LastPass asks for money on Android. I cannot recommend ProtonMail to other people if there’s no free option.
    4. KeePassDroid and other free password managers use Android’s clipboard, which broadcasts the password to all the games, social networks, and other apps on the phone that I forgot to uninstall. Remember that Android is sandboxing apps, which encourages people to download a lot more apps than on Windows.
    5. Typing long passwords manualy with on-screen keyboard is a pain and such passwords would be recorded by security cameras everywhere I go.

    I think you should just put some invisible username field next to the second password and prefill it with fake username like “mailbox”. That would enable built-in password managers in browsers to work.

    Meantime I am stuck with KeePassDroid and the insecure copy via clipboard.

    Reply
  • After the v2.0 release of Protonmail, the built-in password manager of Firefox stopped working at the login screen. Is this a known bug and are there any workarounds?

    Observed under Firefox 40 on Ubuntu 15.04.

    Reply
  • Hi
    I love Switzerland much more I like to contact Switzerland peoples and use your Proton mail but I need to know is it have any charges or toll free 100% ? Please reply me
    Thanks

    Reply
  • I tried setting up my account from the link I received, but it gives me a message that says ‘Invalid Emaill’ with a double L. I have reported this to the proton team. Any suggestions?

    Reply
  • I received your kind invitation to join Proton mail but cannot get past the Set Up Your Acct.
    I put in my choice of passwords then press FINISH and nothing happens. Help please

    Reply
  • If your passmanager supports manual adding/editing, then two different password items for Protonmail might solve the issue. One item should contain Login/password and the login page link (https://protonmail.com/login). After entering your data it redirects you to https://protonmail.com/login/unlock which should be added to your password manager as a sepaprate item with mailbox password. Disabling autofill and autologin functions in password manager helps to avoid confusion with different passwords.

    Reply
  • hi PROTONMAIL

    thanks for the invite and the get ready set go in your email to me

    but ive tried everything to get going but nada i cant get past the second password setting

    there is a pop message that says im still not ready to go even though in your email you say im all ready to get the setup going

    can you pls show me the ropes

    thanks

    theinvisiblearchitect

    Reply
  • If you’re using Keepass2 it is possible to login automatically:
    1. Setup one entry for the login to Protonmail.
    2. Setup another entry for the password of decrypting, only containing the password.
    3. Change the autotype sequence of the login entry (the first one):
    {USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 2000}{REF:P@I: … }
    Put the UUID of the second entry at the location of the …

    Reply
      • Thank you for publishing, it is very interesting to me!

        I did everything according to your instructions.
        The first stage takes place correctly, but then, after the transition to the second

        screen, the password field is left blank.
        And when I do the “manual” selection of matching sites, substituted password of

        “password”, instead of “MailboxPassword”.

        I do not understand what wrong.

        Tell me please, are you using this “auto fill protonmail via Lastpas” now? (Maybe

        something has changed on Lastpass or protonmail)

        Reply
    • Fred,

      Thank you for the trick. This is a very valuable and useful how-to.

      Just don’t forget to add {ENTER} at the end of the string. 🙂

      Reply