Check it out for yourself and let us know what you think!

Most people use passwords every day, so it’s easy to forget that they can cause an extraordinary amount of damage if not managed properly. Most teams know they should use strong passwords, avoid reuse, enable two-factor authentication (2FA), and store credentials securely. But password-related breaches happen every day, not only in large enterprises but also in small teams managing a growing mix of SaaS tools, shared accounts, and fast-moving workflows.

Our latest Proton Pass blog examines why password-related breaches still happen: https://proton.me/business/blog/password-security

Recurity Labs (ISO 27001-certified) conducted a comprehensive security audit of all Proton Pass apps between January and April 2026 and rated our security posture as "well above par." No remote exploits or encryption bypasses found. 

The audit found:

✅ No remote exploits: Users cannot be hacked simply by visiting a malicious website or clicking a link.

✅ No encryption bypasses: Attackers can't use shortcuts, backdoors, or weak keys to bypass the encryption layer. 

Security audits are primarily an opportunity to test and improve our implementations. We're grateful to the auditors at Recruity for helping us identify several areas for improvement beyond the core security requirements. 

Proton took these findings seriously and chose to implement fixes even for areas that fell outside our immediate threat model. 

During the retest, the desktop memory-handling issues were all resolved, demonstrating our commitment to acting on expert feedback and continuously improving our security posture."

You can read more, as well as access the audit on our blog: https://proton.me/business/blog/proton-pass-audit-2026

Happy World Password Day! On this day, observed annually on the first Thursday of May, we talk about passwords, why they're good, and how they can be better.

The idea originated from security researcher Mark Burnett, who proposed a “password day” in his 2005 book Perfect Passwords. Intel Security picked it up in 2013 and officially declared the first Thursday in May as World Password Day. Today, it is recognized globally by governments, corporations, schools, and cybersecurity organizations.

Let's talk about something that happened yesterday. A security researcher disclosed a serious vulnerability in how Microsoft Edge handles stored passwords.

When people storing passwords in the browser open Microsoft Edge, it loads every single saved password into memory in plaintext form. All of them. Decrypted and readable. All at once.

This doesn't sound like much until you understand what it means for security.

When passwords are stored on your device, they should be encrypted; when you need to use a password (like for autofill) the browser eventually has to decrypt it back into readable form. That's normal and expected.

The question is: how much password data should become readable at once?

Edge decrypts and loads all passwords into memory when the browser starts up. They just sit there in plaintext form, all the time you're using the browser.

The researcher tested this across multiple Chromium-based browsers and found that only Edge behaves this way.

Why This Is Dangerous

If an attacker gained sufficient access to your system, through malware, a compromised application, or physical access, they could inspect the browser's memory and potentially access all your passwords at once.

When this was disclosed, Microsoft said this behavior is "by design."

If you know someone who is using Edge's password manager, here's what they should do:

1. Stop using Edge's password manager - Switch to a dedicated password manager that's designed for security
2. Export passwords - Import them into a secure alternative
3. Delete them from Edge - Don't leave them in a vulnerable state
4. Change critical passwords - Update passwords for email, banking, finance, admin accounts, and work accounts. Make them unique.
5. Enable 2FA or passkeys - Add an extra layer of protection where available

If it's an IT team:

• Disable browser password storage across the organization
• Switch to a centralized business password manager
• Consider this when evaluating browser policies

Happy World Password Day. May your credentials be both encrypted until needed, and treated with the security they deserve.

Read our full piece on this: https://proton.me/business/blog/microsoft-edge-passwords-exposed

UPDATE: We are aware of reports of Proton Drive for Windows users experiencing sync issues after enabling post-quantum encryption. We've temporarily disabled the opt-in to this feature and a fix is in progress. We will provide an update as soon as possible. Thank you for your patience!

Hi everyone,

We’ve just added support for post-quantum encryption in Proton Mail.

Quantum computers aren’t yet capable of breaking today’s encryption, but the risk isn’t theoretical. One reason is “harvest now, decrypt later”, where encrypted data can be collected today and stored until it becomes easier to break in the future.

With this update, you can now enable post-quantum-ready keys for new encrypted emails. This is optional and available on all plans, including free.

A few things to keep in mind:

- Right now, it applies to new encrypted emails going forward (it doesn’t re-encrypt old messages)

- Old message are not yet re-encrypted but will be in a later migration

- Key management works the same way as before

You can learn more here: https://proton.me/blog/introducing-post-quantum-encryption

And see how to enable it here: https://proton.me/support/mail-post-quantum-protection

We’re also starting the transition toward OpenPGP v6 to support newer cryptographic standards.

This is something many of you have been asking about as post-quantum cryptography becomes more relevant.

Let us know what you think in the comments below, and keep the feedback coming. 

Dear Proton supporters,

Our annual survey is back and, if you answer it, then your input will directly inform our plans for the year ahead.

We want to know:

- How your experience with Proton has been

- What features and improvements matter most to you

Like last time, we've also included a few questions to help us learn about the people who make up our community. Skip anything you're not comfortable sharing. Whatever you tell us stays aggregated and anonymous.

Because we don't track our users, surveys like this one are the only way we can learn about the people we're building for. Your answers help us make sure our products actually meet the needs of our community, not just who we imagine our community to be.

The survey is anonymous and takes about 5 minutes to complete. Submissions are first come, first served, so once we reach our limit, the survey closes automatically.

Thank you for being part of this. A better internet doesn't build itself.

Survey: https://form.typeform.com/to/X98zpbtI 

Stay secure,
The Proton Team

Hey everyone,

Two of the most aggressively monetized data categories in consumer tech are weather and finance.

Free weather apps have been caught for years selling user location data to advertisers and brokers, effectively turning your forecast checks into a location history. Finance apps log every ticker you check, which is a near-perfect signal of what you're researching, holding, or about to trade on.

Most AI assistants treat those queries the same way: logged by default, often fed back into training data.

We've just added weather and finance widgets to Lumo, surfaced directly inside your chat, and we wanted to make sure these features didn't carry the same baggage.

What's new:

• Weather widget: current conditions and forecasts for any location
• Finance widget: stocks, currency pairs, and indices

As always, your prompts aren't logged, used to train any model, or shared with third parties, and your chats are stored with zero-access encryption. That means Lumo isn't building a behavioral profile based on where you're going this weekend or what's on your watchlist.

As always, your feedback shapes what we build next. Let us know what you'd like to see.

Stay safe,
Proton Team

In our newest video, we break down Jeffrey Epstein’s spy network. The surveillance companies he funded. How he used surveillance to affect geopolitics. How those on Epstein island were trapped by a secret spying camera network.

Finally, we ask: how did Epstein benefit?