Data Security

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. Here's what happened On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as…

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team. Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product? Thanks, Gili

I have read that the Enpass database is stored in /home/documents but that is not true. I have installed version 6 in Ubuntu 18.04, and have 4 logins stored in Enpass, but my documents folder is empty. So please tell me where to find it.

Hello, I am relatively new to Enpass, I noticed, that after reboot, I can use the PIN to access my fault. How can this be secure? This means that the Masterpassword is stored locally on the flash memory. This and the fact, that there have never been an security audit for iOS really worries me. Can someone explain to me, how this might possibly secure? I have a feeling, that the reason, why there is no security audit is, that they know, that there is no way there application passes the audit.

Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers: https://marektoth.com/blog/dom-based-extension-clickjacking/ Is this now fixed in all Enpass Browser Extensions? This is only mentioned in the release notes for the Chrome Extension (6.11.6): „Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)“

I was surprised that Enpass showed me a prompt to "re-register" via a TOTP sent to my registeration email. What is going on here? Its not like I am logged in a website

I have used Enpass for 5 years and open it regularly. I've never changed my Master Password. Overnight it stopped working. I'm on a Mac laptop using OS Monterey 12.31 I have read that this has happened to others. Advice appreciated

So, I have completely given up using my Nextcloud server for Enpass (Enpass is just not reliable in that environment)....sad because the ability to use my private server was the reason I switched in the first place. However, given the amount of time I have now invested in Enpass, before giving up on Enpass completely I thought I'd try using iCloud as the server and immediately ran into a new problem. Scenario: I have multiple devices but with just my Mac and an iPhone, here's the problem I ran into. Step 1. I switched my Mac to use iCloud instead of NextCloud and synced. Step 2. I then modified the passwords for one of the entries in Enpass (Plex ha…

Hello, I want to buy Enpass Premium, to be able to have multiple faults. My Question is, is it possible, not to store the password of the secondary vault in the primary vault? I don't need any auto unlock features. Entering the password every time, is perfectly fine. This page indicates this is default: "When you create multiple vaults, the passwords of other vaults are stored securely in the Primary vault and are removed when you delete the vault. That’s why when you unlock Enpass, all the vaults get unlocked automatically." - https://www.enpass.io/docs/manual-desktop/vault.html#vaults-in-enpass Can this be changed? I need different faults for …

This is not welcomed behaviour from you Enpass app !!! deactivate this reading !!! How many data have you collected by this mean ? As many Chinese apps are linked to Chinese government and so were rightly banned, your app also could be linked to Indian government !!! now I will start to lunch a compaign on social media, on tech website etc.

Autolock always worked fine in version 5 desktop, but it's not locking in version 6. The only option that I always have unticked is Settings > Security > Autolock When: "Main Windows Is Closed". Those settings worked fine in version 5, but not in version 6.

Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

I do not want to save all my passwords in the Enpass application because it's not open source. I like that it looks great on linux, android and ios. I'd happy to pay for the apps. But how can I be sure, that it does everything right?

Please add the option for user selectable rounds. 24000 is WAY too low, and people should be able to increase it, regardless of the time-cost to access the data. This should be a user defined field in all applications, even if it's hidden behind an "advanced" tab.

I've been playing around with the HxD editor today, and it has a nice built in feature that lets you view the memory of another process. This gave me the idea to check whether Enpass was exposing your sensitive information in memory. I opened up the running Enpass process in HxD, and did a simple string search for one of my passwords. Surprisingly, I was able to find multiple occurrences of my password stored as a raw string in memory, even while Enpass was locked (without PIN enabled). I was also able to find secure notes, usernames, TOTPs, and other sensitive information that I was not even accessing in the Enpass window. I tried finding many different entries, and one …

Please see this post which I found which is very similar to my questions: https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241 They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list: https://www.passwordmonster.com/ https://nordpass.com/secure-password/ https://bitwarden.com/password-strength/ The answer in that other post was the following: "Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass estimates strength of a passwor…

Does Enpass ensure that a corrupted database is not synced to the cloud? I want to be sure what happens in the worst case and if my database is corrupted somehow having that broken database synced to the cloud and thus overwrite a good version would be really bad. Since I can only sync to one cloud provider I'd have no way back in this case.

Hello: I have checked my mobile connections and I have seen that Enpass has connected to an Amazon AWS related IP in Ireland. I would like to know if it is normal and if Enpass works with these servers. Thank you.

I would like to make a simple observation. To create or open a key file, the extension called ".keepasskey" is mandatory. In fact you cannot choose or create a different extension. For this reason it is very easy for an attacker to locate the enpass key file. For this reason, to keep it archived I have to rename it, and then when I need it I have to rename it again by adding the ".keepasskey" extension. Wouldn't it be a good idea to be able to create and open the file without the extension?

Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. …

After seeing a tweet from someone able to get a master password from a memory dump on Linux, I tried it my self and was able to get a password from a locked database. This is on Windows 10 running creators update. Here is a screenshot.

Hi All, I have enpass installed on my work computer and it is detecting a program called EnpassBridge.exe that is been classed as Malware with a 73/100 threat score. Can you any shed any light on this?

I would like to increase the number of PBKDF2 iterations used.

Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more?

Hi, one of the reasons why i preferred Enpass over other password managers like Lastpass and 1password was that the developers just distribute the binary, and everything else like sync and so on was completely in my own hands. No connections to other servers, nothing. This was great, since i believe a password manager should do as little communication as possible. Until now i was very happy with Enpass. But now i have some serious questions about the new favicon feature. The announcement says that Enpass downloads it from the developer's server, and you need to enable the feature on each client separately, so i assume each client downloads the favicons separat…