With end-to-end encryption, your data is never accessible to us and only you can decrypt it using your secret password.
Not only are your usernames and passwords encrypted, but all metadata is also secure - not even Proton can access this data.
As scientists, we know that transparency and peer review lead to better security. All Proton Pass apps are open source(new window) and can be independently reviewed by anyone. Our security claims are not mere claims, but facts that can be independently verified by all.
Like all Proton services, Proton Pass has been audited by independent third-party experts, and such security reports are available to the public. Proton Pass security is also enhanced by a public bug bounty program, that invites and rewards security researchers who can identify security improvements in our apps.
Advanced security and privacy features
256-bit AES-GCM vault encryption
Passwords and other items stored in Proton Pass are kept in encrypted vaults. When you create a vault, Proton Pass generates a 32-byte random vault key that cannot be brute-forced.
Your data is encrypted with 256-bit AES-GCM which is quantum-resistant (cannot be broken by quantum computers). Nobody (not even Proton) can read or create new vault keys.
OpenPGP with ECC
In order to protect your vault key and facilitate the sharing functionality (in case you want to share a login with a trusted third party), Proton Pass uses the OpenPGP encryption standard with elliptic curve cryptography (ECC Curve25519).
OpenPGP is open source, has been audited and battle-tested for nearly 30 years, and has no known vulnerabilities. Proton’s OpenPGP implementation is also modular, to allow easy upgrading to post-quantum encryption algorithms in the future.
Proton helps people who live under governments that are hostile to privacy. Alternative routing is an advanced anti-censorship feature that allows you to access your password manager even if your government or internet service provider tries to block access.
This means that Proton Pass can work even if you travel to countries with strict internet censorship.
Passwords are only part
of the equation
Create a unique email alias for each website
By using hide-my-email aliases, in the event that any of the services where you have an account is hacked, malicious actors cannot discover your real email address.
Furthermore, if your email alias is sold or leaked by a third party, you can easily disable it to stop spam.
Metadata, such as the websites you have accounts with, is also extremely sensitive as it may reveal your email, browsing history, political views, and other information you want to keep private.
Proton Pass doesn’t just encrypt the password field but applies end-to-end encryption to all fields, including usernames, web addresses, and all data contained in your encrypted notes.
This data is never available to Proton and consequently also cannot be extracted by third parties.
We are prohibited from sharing the little user data we have with any foreign authorities, and under no circumstances, are we able to decrypt the data you save in Proton Pass.