[littlecranky67]

This is a problem of encrypted storage in general (and hopefully homomorphic encryption will solve that), but I knew this and for me that is a feature, not a bug. I use 2-step password auth (NOT 2FA) explicitly so no one can read my emails without my consent - not the provider, nor the government.

[illiac786]

Can you elaborate on how the second password improves the privacy/security posture? I might switch to it.

[desipenguin]

I am assuming that the second password is like decryption key. I have saved the second password as "mailbox password"

The way I interpreted is that first password is for the account, so verify I am who I say I am. But since the emails are encrypted, browser can't show my messages in human-readable form. Second/mailbox password decrypts it and shows the emails in human readable format.

This is just a guess.

I would love to hear about second password from other/more knowlegeable folks.

[illiac786]

ah, ok, but that’s not what this is for.

Proton does not have access to your email contents, no matter if you use one or two passwords. They do not have you password, neither the first one, nor the second one, they have a hash of it, to be able to verify you have types the correct password. Only the actual password (the first one or the second one) can decrypt email content. Decryption only happens in the browser (Or in the proton app).

Of course you need to trust them on this, it’s difficult to verify, but it as been audited multiple times.

The second password is an old vestige of the time where they couldn’t manage to use a single password for both authentication and decryption.

I use the second one as well, but I use it so I can use VPN on some common devices the family use as well, without having to enter the second password. So if the family device is lost or compromised, only my first proton password has ever been used on it.