AFAIK when you log in to Proton, you send them your password, they do the standard hashing and checking against the hash stored in their database, and if it matches them they let you log in by sending you a token of some sort.
If the your password is your encryption key, and if at some point Proton needs your plaintext password in order for you to log in, then doesn’t that mean they still have a way to access your data? They could take the plaintext password and decrypt everything in your account without you knowing, right?
You must log in or # to comment.
“To solve this problem, we have re-engineered our entire login process to never send the login password to our server, which has the added benefit of helping protect against MITM (man-in-the-middle) attacks.”