How to Set Up Proton Pass for Maximum Security

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you. We only recommend tools we use and trust.

In 2024, a database called RockYou2024 leaked 10 billion passwords. Not hashes — actual plaintext passwords. If you have reused a password across even two services, there is a reasonable chance it sits in that file. Breaches are not exceptional events. They are the background radiation of the internet.

A password manager is not optional anymore. It is as fundamental as locking your front door. But not all managers are equal. Some store your vault in jurisdictions with weak privacy laws. Some have been breached themselves. Some scan your data to “improve services.”

This guide walks you through Proton Pass — not because it is the only option, but because it is the only major password manager built on end-to-end encryption, Swiss privacy law, and open-source code. No surveillance. No data mining. Your vault is yours, unreadable even to the company hosting it.

By the end of this guide, you will have a secure vault, unique passwords for every account, masked email aliases, and two-factor authentication properly configured. Total setup time: about one hour.

Before You Start — What You Need

Proton Pass is available on every major platform. You do not need to commit to paid plans to follow this guide — the free tier covers everything essential. You will need:

  • A device with internet access (desktop recommended for initial setup)
  • Access to your current password storage — browser, another manager, or a written list
  • About 60 minutes of uninterrupted time
  • A physical place to store a recovery phrase — a safe, a locked drawer, not your phone notes app

Important: Do not delete your old passwords until you have confirmed everything imported correctly. We will cover that.

Create Your Account

1 Download Proton Pass (5 minutes)

Visit privora.click/proton-pass or download the app from your device’s app store. Proton Pass is available for iOS, Android, Windows, macOS, Linux, and as browser extensions for Firefox, Chrome, Brave, Edge, and Safari.

Install the browser extension now — you will need it later.

2 Sign Up (5 minutes)

Create a Proton account. You can use an existing email address or create a new Proton Mail address during signup. If you already have Proton Mail, your Pass vault uses the same login — no separate account needed.

Choose a strong master password. This is the only password you will ever need to remember. It should be:

  • At least 16 characters long
  • A random mix of words, not a single dictionary word
  • Memorable to you but unguessable to others

Example of a good master password: correct-horse-battery-staple-47 (do not use this exact one — generate your own).

Never reuse this password anywhere else. Not for email. Not for banking. Nowhere. This one password unlocks everything else. Treat it accordingly.

3 Generate and Store Your Recovery Phrase (5 minutes)

Proton Pass will display a recovery phrase — typically 12 random words. This is your only backup if you forget your master password. Proton cannot reset it for you. They do not have it. That is the point of zero-access encryption.

Write it down. On paper. With a pen. Store it somewhere physically secure — a safe, a locked filing cabinet, a sealed envelope in a secure location. Do not photograph it. Do not store it in cloud notes, password documents, or your phone’s memo app.

If you lose this phrase and forget your master password, your vault is permanently inaccessible. There is no support ticket that fixes this. Plan for that reality.

Import Your Existing Passwords

Most people have passwords scattered across browsers, old managers, spreadsheets, or sticky notes. Consolidating them is the first security win — you cannot manage what you cannot see.

4 Export From Your Current Storage (10 minutes)

If using a browser (Chrome, Firefox, Safari, Edge):

  • Chrome: Settings → Autofill → Passwords → Export passwords
  • Firefox: Settings → Privacy & Security → Saved Logins → Export
  • Safari: File → Export → Passwords
  • Edge: Settings → Profiles → Passwords → Export passwords

If using another password manager:

  • LastPass: Account Settings → Export → CSV
  • 1Password: File → Export → All Items
  • Bitwarden: Tools → Export Vault → CSV
  • Dashlane: File → Export → Unsecure archive (CSV)

The exported file will be unencrypted. Handle it carefully. Do not leave it on your desktop. Import immediately, then delete the file securely.

5 Import Into Proton Pass (5 minutes)

Open Proton Pass. Go to Settings → Import. Select your source format (CSV, 1Password, Bitwarden, etc.). Upload the file. The import tool will map fields automatically — usernames, passwords, URLs, notes.

Review the imported entries. Check that usernames and passwords align correctly. Look for duplicates — many people have multiple entries for the same site. Merge or delete redundancies.

Once confirmed: securely delete the exported file. On Windows, use Shift+Delete. On macOS, empty Trash with Secure Empty if available. The file contained plaintext passwords. Treat it like a loaded weapon.

Run a Security Audit

Importing old passwords is only half the job. Most of those passwords are weak, reused, or compromised. Now we clean house.

6 Identify Weak and Reused Passwords (15 minutes)

Proton Pass flags weak and reused passwords automatically. Go to the Security Center or Password Health section. You will see:

  • Weak passwords: Too short, dictionary words, predictable patterns
  • Reused passwords: The same password across multiple sites
  • Compromised passwords: Known to appear in public data breaches

Start with compromised passwords — these are actively dangerous. Change them immediately. Then tackle reused passwords. Then weak ones.

Strategy for bulk updates: Do not try to fix everything today. Prioritise:

  1. Email accounts (skeleton keys to everything else)
  2. Banking and financial services
  3. Healthcare portals
  4. Social media (identity theft vectors)
  5. Work-related accounts
  6. Everything else

Use Proton Pass’s password generator for each new password. Default to 20+ characters, all character types. The generator creates them instantly. You never need to remember them — the manager does that.

7 Enable the Breach Monitor (2 minutes)

Proton Pass monitors known data breaches and alerts you if any of your stored credentials appear. Enable this in Settings → Security → Breach Monitor. It runs continuously in the background. If a service you use is breached, you will know within days, not years.

Set Up Email Aliases

This is where Proton Pass distinguishes itself from most password managers. It includes a built-in alias system — hide your real email address from every service you sign up for.

Why this matters: when a service is breached, your email address is often the first thing leaked. It becomes a target for phishing, spam, and credential stuffing. If every service has a unique alias, a breach at one does not expose your identity everywhere else.

8 Create Your First Alias (10 minutes)

When signing up for a new service, use the alias generator instead of your real email. Proton Pass offers two types:

  • Simple aliases: Random string @ your Proton Mail domain — fast, anonymous
  • Custom aliases: service-name@yourdomain.com — organised, memorable

Aliases forward to your real inbox. You can disable or delete them if a service spams you. You can see which alias leaked if you start receiving phishing emails.

Pro tip: Create a naming convention. amazon@yourdomain.com, spotify@yourdomain.com. If you receive a “Amazon security alert” to an alias that is not amazon@, you know instantly it is phishing.

The free tier includes 10 aliases. Paid plans offer unlimited. Start with your most sensitive accounts — banking, healthcare, government services.

Enable Two-Factor Authentication

A password manager secures your credentials. Two-factor authentication (2FA) secures access to the manager itself. If someone somehow obtained your master password, 2FA stops them cold.

9 Enable 2FA on Proton Pass (5 minutes)

Go to Settings → Security → Two-Factor Authentication. Choose an authenticator app — Proton Pass can store TOTP codes itself, or you can use a separate app like Aegis (Android) or Raivo (iOS).

Do not use SMS-based 2FA. SIM swapping attacks are common and effective. An authenticator app generates codes locally on your device. No phone number to hijack.

Scan the QR code. Save the backup codes Proton provides. Store them with your recovery phrase — physically, offline.

10 Store 2FA Codes for Other Accounts (10 minutes)

Proton Pass can store TOTP 2FA codes alongside your passwords. This is convenient — one unlock gives you password and 2FA code. It is also a concentration of risk — if your vault is compromised, both factors are lost.

Our recommendation: Use Proton Pass for low-to-moderate sensitivity accounts. For critical accounts — email, banking, primary Proton account itself — use a separate authenticator app. This separates the factors. A breach of one does not automatically breach the other.

Move through your priority list from the security audit. Enable 2FA everywhere that supports it. Most major services do now. If a service only offers SMS, pressure them to improve or consider whether they deserve your data.

Configure Autofill and Browser Extension

A password manager is only useful if you actually use it. Autofill removes friction. The less friction, the less temptation to fall back to memorising or reusing passwords.

11 Configure the Browser Extension (10 minutes)

Open your browser extension settings. Ensure:

  • Autofill is enabled for login forms
  • The extension can detect new passwords and offer to save them
  • Autofill is disabled on untrusted or phishing-prone sites (use your judgment)
  • The extension icon is visible in your toolbar for quick access

Test it. Visit a site you have stored credentials for. The extension should offer to fill username and password. If it does not, check that the stored URL matches the site domain exactly.

On mobile: Enable Proton Pass in your device’s autofill settings (iOS: Settings → Passwords → AutoFill Passwords; Android: Settings → System → Languages & input → Autofill service). This integrates Pass with apps and mobile browsers.

12 Set Default Behaviour (5 minutes)

Decide your workflow:

  • For new accounts: Always generate a new password and alias through Pass. Never type your own.
  • For password changes: Use Pass’s generator. Update the entry immediately.
  • For shared devices: Lock your vault when not in use. Set auto-lock to 10 minutes of inactivity.

Set Up Recovery and Emergency Access

Security is not just about keeping attackers out. It is also about ensuring you can get back in if something goes wrong.

13 Verify Your Recovery Phrase Storage (2 minutes)

Confirm your recovery phrase is where you left it. Can you find it in the dark, under stress, three years from now? If not, relocate it.

Consider a second copy stored in a different physical location — a trusted family member’s safe, a bank deposit box. Not a photo. Not a digital file. Paper, pen, physical security.

14 Set Up Emergency Access (Paid Feature) (3 minutes)

If you upgrade to a paid plan, Proton Pass offers emergency access. Designate a trusted contact who can request access to your vault if you are incapacitated. They cannot see your passwords normally. They can only request access, which you approve — or which auto-approves after a waiting period you set if you do not respond.

This is not about trust. It is about continuity. If you are hospitalised, your family may need access to insurance portals, utility accounts, financial services. Emergency access provides that without sharing your master password.

Ongoing Maintenance

A password vault is not a set-and-forget tool. It needs light, regular attention.

  • Monthly: Review breach monitor alerts. Change any compromised passwords immediately.
  • Quarterly: Run the security audit. Check for new weak or reused passwords. Clean up duplicates.
  • Annually: Review your account list. Delete entries for services you no longer use. Update any passwords you have not changed in over a year.
  • After any breach news: Check if affected services are in your vault. Change those passwords even if the breach monitor has not flagged them yet.

The maintenance burden is low — perhaps 15 minutes per quarter. The alternative is discovering a reused password has been breached two years after the fact.

The “Is My Vault Secure?” Checklist

Print this. Tick it after setup and quarterly thereafter.

Frequently Asked Questions

What if I forget my master password?

Use your recovery phrase to regain access. If you have lost both your master password and your recovery phrase, your vault is permanently inaccessible. Proton cannot help. This is the trade-off of zero-access encryption — no one can decrypt your data without your keys, including the provider. Store your recovery phrase accordingly.

Can Proton see my passwords?

No. Your vault is encrypted on your device before it ever reaches Proton’s servers. They store encrypted data they cannot read. This is not a policy promise. It is enforced by the encryption architecture. Even under legal compulsion, Proton can only hand over encrypted data — unreadable without your keys.

Is the free tier enough?

For most individuals, yes. The free tier includes unlimited passwords, 10 email aliases, one vault, and the breach monitor. Paid plans add unlimited aliases, multiple vaults, emergency access, and priority support. If you manage passwords for a family or small business, or you want the organisational features of multiple vaults, the paid plan is worth it. Otherwise, start free and upgrade when you hit a limit.

What makes Proton Pass different from Bitwarden or 1Password?

Jurisdiction and architecture. Proton is Swiss — outside EU and US surveillance agreements. Its code is open source and independently audited. The alias integration is unique — most managers do not include email masking. 1Password is closed source and US-based. Bitwarden is open source and US-based. All three are technically competent. Proton Pass offers the strongest privacy guarantees.

Should I store 2FA codes in Proton Pass or a separate app?

For convenience, Proton Pass. For maximum security, a separate authenticator app for critical accounts. The risk of storing both factors in one place is that a single compromise defeats both. The risk of a separate app is forgetting which app holds which code. Our recommendation: separate app for email, banking, and your Proton account itself. Proton Pass for everything else.

Can I share passwords with family or colleagues?

Yes, via shared vaults (paid feature). Create a vault for household accounts — streaming services, utilities, insurance — and share it with family members. Each member sees the passwords but cannot access your personal vault. For one-off sharing, Proton Pass supports secure link sharing with expiry dates.

Conclusion — One Hour, One Habit

A password manager is not exciting. It will not make headlines. It will not impress at dinner parties. But it will prevent the quiet, devastating moment when you discover a reused password has been breached and cascaded through half your digital life.

Proton Pass is not the only password manager. It is the one built on encryption you can verify, jurisdiction you can trust, and a business model that does not require reading your data. The setup takes an hour. The maintenance takes minutes per quarter. The protection lasts as long as you use it.

Start with your email account. It is the skeleton key to everything else. Generate a new, unique password. Store it in Pass. Enable 2FA. Then move to banking. Then healthcare. Then everything else. One account at a time.

The alternative is not “no password manager.” The alternative is your browser remembering passwords in plain text, your memory reusing the same three passwords, and your inbox filling with breach notifications you cannot act on because you do not know which password was where.

An hour today. Peace of mind for years.

Get Started with Proton Pass →

Free to start. End-to-end encrypted. Swiss privacy from day one.

Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you. We only recommend tools we use and trust.

Karel at Privora
Karel at Privora

I write about digital privacy the way I'd talk to a mate at the pub; straight, practical, and without the tin-foil hat stuff. If your email provider reads your messages, your ISP sells your browsing history, or you're still reusing passwords from 2014, we've got work to do.