Moving from Bitwarden to Proton Pass
Now that my photos and emails have been relocated to Europe, it's time to move my credentials too.
Bitwarden has been my password manager for many years. It provides a very smooth experience, is frequently audited, and supports open source. Although there may be something happening behind the scenes that has some people worried, my reason for switching is only due to my intented European migration, as Bitwarden is a US company.
There are luckily some European players in the password manager table. I ended up with Proton Pass, (a Swiss company) for two main reasons. First, Proton is a known player in the security space with good reputation and established products. Second is their built in email masking system, which I'll describe later.
One can also self-host e.g. Vaultwarden or use something like KeepassXC with a file sync service to keep the database available on multiple devices. Having full control is certainly nice, but that also includes full responsibility. To me the reduced overhead and ease of access of a bought service won out.
The migration
Having decided on Proton Pass I immediately hit a wall - my newly minted email domain was blocked from registering an account. I had an inkling that the domain was simply too fresh, and sure enough, after a few hours I tried again and it passed.
Moving the data is simple enough - use Bitwarden's export tool to create a .json dump, then upload it to Proton Pass using the specific import tool. Then remember to completely destroy the .json, since that has kinda sensitive data in it.
Note: the export dump does not contain attachments, so those have to be handled separately.
The import unfortunately does not recreate the vault/directory structure, so everything ends up in a single directory. From there you can create new vaults, set sharing as you wish, and move everything back to their places.
Browser extension
Browser autocomplete is a key feature of password managers for me. They handle the domain verification, ensuring I don't copy paste secrets to phishing sites. I feel this offsets the non-zero risk of something stealing data through the extension.
Proton Pass does have a browser extension for the major browsers, and setting it up on Firefox and Zen went smoothly.
No keyboard shortcuts? WTF
I was going to write myself a TODO here to configure the keyboard shortcuts, but apparently they don't have any. Why!?
I didn't even think to check as this is such basic stuff. A PR might bring this, hopefully soon, but seriously. Accessibility, anyone?
Android
The Android app setup was not without issue either. In the account setup I had configured 2FA with my two Yubikeys but guess what - the Android app does not (yet) work with hardware keys. It kept prompting me to to give the six digit TOTP key. The key I'd never even set up. Apparently it decided that since I'd set up 2FA, it had to use the only mechanism it had available, locking me out of the app.
After a while I gave up and registered the TOTP with my Bitwarden, which is kinda problematic, since that will expire by the end of the year... Hopefully Proton will add physical key support before that.
After that it was fortunately smooth riding to start using the app in earnest.
I feel like the autocomplete has some issues, at least on Firefox. Many times I've gotten the prompt to fill a credential from Proton Pass, tap on it, and the username is not placed. I've had to go to the app the copy the username many times already. Luckily the password input at least seems to work better.
Email masking
As I mentioned in the Fastmail post, I've generated a lot of per-site anonymous email aliases.
There are two models for this. First, as with Fastmail, the email provider creates these aliases itself, and (hopefully) allows clients like Bitwarden to request new aliases as they're needed.
Alternatively you can add another service between the site and your actual email as a proxy, letting that service handle the email forwarding. This is what Proton Pass and e.g. Firefox Relay do.
Having an external email proxy does help if you have to migrate the primary email address to another provider and you don't have your own domain set up, since you can just change your new address to the proxy and not touch anything else.
On the other hand the proxy becomes a critical part of your email service, as it has to work in order for you to receive your mail.
Due to this additional dependency I'd prefer for the email provider to do this instead of using a proxy. On the other hand, this particular migration would've been trivial if I'd used a proxy before...
Anyway, my new email provider does offer masking, so an external proxy was the way to go. As mentioned, there are other providers for such masking, but I went with Proton Pass, since I didn't find other European providers (let me know if there are, so I can mention them here). Being built in to the manager, it's also easy to use.
This does tie me a bit tighter into the Proton ecosystem than I'd like, but seems worth it at least for now.
The verdict
I've been using Proton Pass for about two weeks now, and mostly I'm content. The usability issues are grating (and disappointing!) after the smooth experience of Bitwarden, but most of the time the thing works as expected.
My Bitwarden subscription was 4$/month (per user - for now I've only spoken about moving my data, but naturally I've lobbied my family to join these services too...) and Proton Pass Plus costs 3, so there's marginal savings in the migration.
All in all I think it is currently the inferior product, but still I feel confident that the move was justified.
What's next
Now that the service is set up and the data migrated, the true work can begin. Going through all @fastmail.com registrations, deciding if they're worth keeping and if so, changing the emails to the new aliases will take hours. Still, it's a good chance to do some long needed spring cleaning and maybe rotate some passwords too, enable 2FA, passkeys...
As for the larger migration, now I need to bring the rest of the herd with me - and that's a topic for a future post.
Thoughts, comments? Send me an email!