Data Security

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. Here's what happened On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as…

Does Enpass ensure that a corrupted database is not synced to the cloud? I want to be sure what happens in the worst case and if my database is corrupted somehow having that broken database synced to the cloud and thus overwrite a good version would be really bad. Since I can only sync to one cloud provider I'd have no way back in this case.

Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. …

I do not want to save all my passwords in the Enpass application because it's not open source. I like that it looks great on linux, android and ios. I'd happy to pay for the apps. But how can I be sure, that it does everything right?

I would like to increase the number of PBKDF2 iterations used.

Hi Enpass Team, as you claim everywhere that Enpass is based on SQLCipher, an opensource technology, I decided to look by myself (not that I don't trust you, but i'm curious ;)). So, I installed sqlcipher and opened the database. It was easy to find the right parameters to decrypt the DB: PRAGMA cipher_default_kdf_iter = 24000; PRAGMA kdf_iter = 24000; PRAGMA key = '<PASSPHRASE>'; But now, I can't find where are the passwords. I would have thought they would be in the Cards table in the Data field, but it's obviously not, as (almost) all my Data fields have the same value. The passwords does not seem to be in the other tables. So, where are they? …

So I made an account quickly to ask if the same thing also the issue with Enpass. Via Dutch website www.tweakers.net and on www.nu.nl newsarticles today have been published about Lastpass big privacy leaks. Apparently there were two and luckily Lastpass has fixed them both within a day, but is it the same with Enpass? Does the team even know about it and are they working on it to find out if the same is the case? Links here: https://tweakers.net/nieuws/114017/google-onderzoeker-vindt-op-afstand-te-gebruiken-lek-in-lastpass.html https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ https://twitter.com/taviso …

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team. Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product? Thanks, Gili

I work in a secure situation and find when my Windows 10 goes to sleep (telephone calls etc.) I have to re-type my master password in again. This is repeated dozens of times a day. Is there any way I can control this without turning off my sleep mode.

Hi all, I have not found an answer while searching so please forgive me if it is already answered, but I would be interested in knowing which cipher (and library) is used by enpass to encrypt data? Thanks a lot in advance and thanks a lot for that great product. Thomas

Hello, don't really know where to post this, but "Data Security" seems kind of fitting. I recently set up Enpass on my devices to synchronize via a nextcloud-server running on my desktop computer. In doing that, I realized I didn't receive a certificate warning on any of my devices when setting up the synchronization, even though the server is clearly using a self-signed certificate. I'd really appreciate it if I received a warning when setting up synchronization with a server using a self-signed certificate, and maybe even enable some sort of certificate pinning, to make sure my data doesn't end up on another WebDAV server, which happens to be accessible with the same UR…

Along with open sourcing, external audits which has already been asked for, i'd really like to be able to opt out of google analytics and (other?) tracking mechanism. this is a password vault, it feels sorta creepy

Please add the option for user selectable rounds. 24000 is WAY too low, and people should be able to increase it, regardless of the time-cost to access the data. This should be a user defined field in all applications, even if it's hidden behind an "advanced" tab.

An interesting and important question that was already raised, but not yet answered, in another thread: Is Enpass' built-in password generator part of SQLCipher or otherwise (if yes, how so?) open source and therefore trustworthy? I currently feel no need to demand to make the whole application open source as long as the security-relevant parts are. But the password generator is one of these and therefore a reassuring answer would be nice. If it's not open source, what are the plans in that regard? If it is, I think you should advertise that on your website, too.

I'm curious... how wise is it to store so much of one's information.. like bank account info, payment and identification information... On one hand, if you have all your logins stored in here... most of that stuff is available through that... so is it any worse to store it outright? I mean, if someone gets a hold of your database and cracks it, it's kinda over isn't it?

Hi. In order to synchronise my passwords through OneDrive, I have to give Enpass the following permissions: Sign in automatically View your OneDrive photos and documents Access and edit your OneDrive photos and documents View your profile information and contact list Access your info at any time Work with its own folder in OneDrive Access OneDrive files The first 5 were requested by the iOS app; the last 2 by the Mac OS app. I really can't understand why any of these are necessary except "work with its own folder in OneDrive". Can you pl…

Several password manager are broken. I found this: https://team-sik.org/trent_portfolio/password-manager-apps/

I have been very happy with enpass so far and believe it to be an amazing solution for password management. I read an article today about other systems and wanted to know if this system can be compomised in the same manner and what is done to ensure security. https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/ Thanks!

Really pleased to see the Enpass now supports turning off access to Google Analytics and the Enpass update servers. Option to disable update and analytics, plus attachment support enabled. Also really pleased that a 3rd part Audit is planned (maybe use Travis Ormandy from Google? He seems to be quite effective) . Thank you for these advancements. I have a related question. On my Macbook I have an outgoing firewall, called Little Snitch, that allows me to monitor outgoing communications and be certain nothing is inappropriatly accessing sites in the network/internet. On my ipad and iphone there doesnt seem to be any way to do the same monitoring. How would …

Can someone download say a Facebook or Reddit login, host it and have enpass see it and send over the credentials?

After seeing a tweet from someone able to get a master password from a memory dump on Linux, I tried it my self and was able to get a password from a locked database. This is on Windows 10 running creators update. Here is a screenshot.

The introduction of Quick Unlock by TouchID is a huge step forward for the usability of Enpass. However, in my opinion the promised perfect balance between convenience and security is still unmet due to the lack of a critical part: TouchID timeout. TouchID is not 100% secure as demontrated by security researchers who were e. g. able to replicate working fingerprints for TouchID. The logical consequence would be to disable TouchID in Enpass completely. However, this would not only eliminate the convenience benefit but also increase the risk of shoulder surfing. The solution is an adjustable timeout deciding whether TouchID will unlock Enpass or if the master pass…

I was debugging my nexus 5 and I saw by chance that Enpass while syncing to my nas over webdav is using jakarta httpclient 3.1 As stated here[1] the library is no longer being developed. Are you planning to replace it? [1] https://hc.apache.org/httpclient-3.x/

Just wanted to get a hint on how everybody else is using Enpass and at the same time show my setup. I use an USB-wristband for portability. I've got one layer of bitlocker using aes128 autounlock with tpm) and within that the walletx with its own aes256. Instead of the Enpass Portable I've got Enpass desktop installed on my three PCs pointing to an USB drive. That way I split up meta settings for Enpass in the registry and vault on a removable drive. Also when frequently synchronizing, the performance is better when executables that aren't secret reside on a local drive. I use cloud sync, so local backup isn't necessary. I only mount the USB stick and vault wh…

Apple has announced that "beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple. If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again" I am unclear if this impacts Enpass. Can you advise: Is Enpass impacted? If so will Enpass support a means of entering an App Specific Password before June 15? Thanks