1·
2 months agoIf something is weak, it is Proton’s knowledge of password strength. For example, they call a 16-character password without special characters “weak,” which has around 95 bits of entropy, so this doesn’t make sense. They also overemphasize the role of special characters in passwords, as just increasing the password length by a single character would add more entropy than enabling special characters. Furthermore, many of Proton’s articles regarding password strength contain a lot of misinformation. This one talking about password entropy might be their worst yet. You cannot seriously claim that a single word, “Bankruptcies,” has 68.4 bits of entropy, which also isn’t the only inaccurate claim that the article makes.
Since the vault is end-to-end encrypted, it shouldn’t matter where it is hosted, even if it is in the cloud. Here is what a security researcher and a password cracker Jeremy M. Gosney has said about this after the LastPass incident.
”Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn’t do that, of course, but the point is the vault should be just that – a vault, not a lockbox.”