ProtonMail enters login and encrypted mail with the same password

The secure e-mail service ProtonMail has implemented an update that makes it possible to use the same password for logging in and sending e-mail. Until now, this required two different passwords.

The Swiss company states that two passwords are inconvenient because users have to remember them both and because this often causes problems with password managers. In addition to logging in with two-factor authentication, using two passwords was also difficult, the company said. It has therefore decided to adopt the new feature as the default setting, leaving the old way of logging in for users who don’t want to abandon it.

ProtonMail reports that the new feature has no impact on the security of its service. The function works by deriving the password for decrypting email from the login password by a hash with salt. The salt comes from the server and is not stored on the user side. In this way, the company wants to prevent interception of an e-mail password leading to cracking the login password.

For logging in with the latter password, ProtonMail uses the SRP protocol, whereby the password itself is never sent over the network and therefore cannot be intercepted, according to the company. ProtonMail came out of beta in March and allows users to send encrypted email messages with a free or paid account. In addition, the company itself claims to have no insight into the emails, because they are also encrypted on the server itself by end-to-end encryption. The service has apps for both iOS and Android.