Is any of it still recoverable?

If i clear out the trash, what is the likelyhood of it being recoverable? Are these TMP files being trashed, is it normal DEL procedure?

Raising the bar on security

I have checked my mobile connections and I have seen that Enpass has connected to an Amazon AWS related IP in Ireland. I would like to know if it is normal and if Enpass works with these servers.

Thank you.
 

As I understand it, I can only have 1 vault per cloud account AND sharing Primary vault isn't allowed. 
I therefore need to have a second cloud provider and account in order to set up a secondary vault.  ie. A different account on the same cloud (eg Dropbox) as the primary vault, is NOT allowed.  
Are the above statements correct ? 

If they are, and given I already actively use Dropbox and Onedrive and Icloud - and NEITHER of the accounts are shareable in that my wife ALSO uses those same providers independently, and we share folders. Am I correct in saying that enpass is incapable of utilising the Cloud folders that are shared and requires a separate shared cloud account UID/Login and a shared Vault password. The cloud account being from a cloud provider DIFFERENT from the cloud used for each persons Primary vault.   
Therefore to have a shared Vault I will need to find a 4th Cloud provider.  I don't use GoogleDrive but I do use and have a Google Account that is NOT shareable. So I'm running out of Cloud providers to set up a standalone single app access cloud where we can share a login. FOR FREE !!.   
Is this correct? 

If not please advise what I am missing.  I had hoped to use a shared dropbox login, but I am unable to set up a vault on a second Dropbox account from the enpass desktop(windows). It tells me I need a different cloud account.   

Having bought and paid for this family licence, and moving over from 1password, I was hoping for a simpler scenario.  I'm embarrassed to say I didn't do as much homework as I thought and had NOT realised the restrictions on sharing.  ie. The actual LOGIN must be shared.  All Cloud providers allow the sharing of folders but enpass cannot utilise that feature. Crazy eh!! 

THE GOAL. 
To have my wife and I to have access via iphone and Laptops, to a common shared vault. And to be able to sync across ALL as required. ie. if she changes a p/word then I can see the change. Simples - you'd think.  Basic you'd think.  I'm struggling.   

AND
Given ALL cloud providers need 2 phase authentication when you login.  If we share a cloud account.  How do we BOTH acknowledge the 2 phase authentication.  Is this an issue or does the Enpass login bypass this somehow? 

Is this now fixed in all Enpass Browser Extensions?
This is only mentioned in the release notes for the Chrome Extension (6.11.6):
„Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)“

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. 

Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product?

Thanks,
Gili

running ClamXav on my newly setup M1 MacBook Air I got the message that Enpass would be infected with Trojan.OSX.Agent. The app was quarantined. To confirm (and as I wasn't sure which version - download or Apple AppStore - I was using) I first downloaded the App from the enpass.io website to get the same result again. Installing Enpass via Apple App Store gave a clean version that wasn't infected as of ClamXav.

Kindly check on the supplied version of your website and mitigate the risk for my fellow macOS users.

I would consider upgrading to Premium (although I don't see that I require the benefits that Enpass touts I would get) but since I can't get the website for a single Breach alert, I'm not convinced that I would get the website even after upgrading. I'm not sure why I would get a Breached alert if I would need to upgrade to fix it.

I'm concerned that there was some sort of Breach but I can't resolve it since I don't know where it came from. I manually walked through all 132 items to see if anything showed as a Breach but nothing showed a Breach.

I'm running Windows 11 with Enpass 6.11.10(1948) and Android version 13 with Enpass 6.11.10.1096

How do I get the website that has been Breached?

https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

I did another slightly more sophisticated test.

I opened the “enpass” process (password manager that I currently use) with HxD ( HxD - Freeware Hex Editor) I copied a password that is this “secret_password” then I blocked enpass and as if by magic the password continues to be stored in the memory of the enpass process even when it is closed.

Screenshot 2024-11-25 215729993×561 169 KB

After 10 minutes with enpass locked the password continues to remain in unencrypted memory,
I also tried with keepass and the same thing happened with the database locked.
So be careful if you use enpass and keep

Thank you for your help.

Klaus

https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241

They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list:
https://www.passwordmonster.com/
https://nordpass.com/secure-password/
https://bitwarden.com/password-strength/

The answer in that other post was the following:
"Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass
estimates strength of a password."

For me, I feel that this misses the point somewhat. The point for me is to answer the following:

• Do we agree to the original point, which is that all these other sites are providing more favorable assessments than Enpass?
• Do we agree, alone or in aggregate, that these sites provide assessments that we can rely on? i.e. if they say a password is strong, then it is strong? If they say it takes centuries to crack a password, then that is what it takes?
• Do we agree that this results in more unwieldy passwords when following Enpass advice?
• Are these unwieldy passwords warranted, or are they unnecessarily long and complicated? In the case of a three-word passphrase, should we really keep inflating a supposedly "weak" password to 4 or 5 or 6 or 7 words (and only 8 actually seems to induce an "excellent" rating in Enpass) when all these other password checkers say the three-word passphrase is STRONG and will take centuries to crack?

In the end, I find myself having to exit Enpass and go over to these websites to feel confident that the password complexity is really necessary. Please, I hope no one says that ever-longer passwords "can't hurt." They do. They lead to non-compliance amongst many other things I'm sure, I don't pretend to be an expert. But I know this: not everyone in my family uses password managers. I'm trying to convince them, but we're not there yet. However, they do let me help register some accounts for them and even keep their credentials in Enpass for them, in case they forget. But for them they just enter passwords manually. Unnecessarily long passwords do not work. They just change them to something really ridiculous.

Finally, if I'm on someone else's laptop with them, and need to log into one of my accounts, I'm stuck too. I can look up the password on my phone, sure, but now I have to type it all out, looking back and forth the whole time, and losing my place, often meaning I have to do the whole thing all over again. Shorter passwords would be great.

So... it's a valid question. Can I work with Enpass Generator and all the automated filling and other features, or do I instead need to go to these other sites?

Thank you to anyone who responds this weekend, I would normally submit this question directly to Enpass support but they are closed and it would be ideal to get some input now. Thanks

Thanks!

If Enpass is not able to add proper spam detection to their forums or at least human supervision that reacts in a time frame distinctly under 24 hours – why should potential customers trust Enpass security if the public representation to user seeking for support is so bad?

Should we not be thinking about this for our own password tools now too. 

If your passwords/notes are stolem now and decoded in 20 years, its still an issue. Thoughts?