Data Security

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. Here's what happened On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as…

I ran across an interesting article about some other well-known password managers out there, like 1Password, KeePass, DashLane & LastPass. https://www.securityevaluators.com/casestudies/password-manager-hacking/ If that's too technical, read ZDNet's summary on this article: https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/ While I was pleased Enpass wasn't on the list, I suspect it might be due to lack of significant market share like some of the other products. But I'm also very curious about the steps Enpass is taking to have independent third-parties pen-test the product. EDIT: I should have lo…

Hallo Enpass Team besteht die sichere möglichkeit eine 2 Fach authentifizierung über Enpass zu ermöglichen Beispiel man will Enpass öffnen braucht aber Masterpasswort gleichzeitig aber einen 6 stelligen code auf das Handy

Hello! On some sites on which I am registered there is a 2FA, but they are not in Enpass database. How often is the database updated? How do I add a site to your database? For example, 2FA is implemented on the site https://account.keenetic.com (see screen) but this site is not in the Enpass database...

So Enpass is an offline password manager. But if you decide to sync your data, you have to use the cloud because you can't use Wi-Fi sync. I have to store my container on services like iCloud or Google, Dropbox if I want to access it from all my devices. Enpass is missing a 2FA. If somebody is able to access my cloud or hack the service I‘m using, he can steal my container. Enpass only offers a master password and nothing else. It can be hacked more easy than having a second factor. Any plans on adding such a feature in the future?

Does Enpass intend to implement 2FA for itself as an second authentication method instead of Keychain It is much easier to use and is less risky as losing access to a 2FA is harder than a keychain

Hello, I'm using version Enpass 6.8.1.658 In the Password audit section I have 28 supported 2FA web sites. I do not have Google services installed, is there a way to see which web sites these are? Thanks

Hello! I would like to know if there is an 2FA-Option additionally to the Master-Password when I open my Passwortmanager? Of course I hope, that nobody cracks my Master-Password. However "better safe than sorry" ... since 2FA is an important security-feature, I wonder why this option to add an 2FA (and I don't mean the Logins for my inside-Password) is not available yet? Or did I miss it? Thanks for your answer in advance. Best Regards

So I started using this today and have a couple of questions about syncing. 1) After setting it up to get it to sync to other things log in the service provider eg Dropbox, Google etc. Is there anything stopping someone who has access to my account from installing Enpass telling it to sync with my details, and getting all my passes? I don't think it will be a problem for me, as I did take measures if this is the case but am more curious. 2) Can I tell it what to sync to where? Basically I have 5-6 Important things I NEED on my phone in case I accidentally log out when not at my PC. But I intend to put everything on my PC version so I don't lose an ac…

Hey Enpass Team, I recently moved from Dashlane to Enpass and I used cloud sync and use Box.com for that. My question is does the data saved on Box also encrypted?

I have been very happy with enpass so far and believe it to be an amazing solution for password management. I read an article today about other systems and wanted to know if this system can be compomised in the same manner and what is done to ensure security. https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/ Thanks!

Master-password - Open database; Destruct-password - Deletes all data or makes it unsuitable for decryption. This can be done?

Dear Community, I am really conernd about the error which I had faced. I restarted my notebook and changed the boot directory for some tests. After that, I wern't able to login to Enpass with my Masterpassword. Enpass looked like it were new installed and therefore my login files were gone, so everything were deleted. Luckly I had made several backups and could restore my credentials but, it is really strange that all my file were gone. First I thought maybe it's an securtiy feautre because of that changes in the Boot directory. But, after restoring my files with the backup, I did the same again and changed the boot directory, but no fi…

Apple has announced that "beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple. If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again" I am unclear if this impacts Enpass. Can you advise: Is Enpass impacted? If so will Enpass support a means of entering an App Specific Password before June 15? Thanks

Really pleased to see the Enpass now supports turning off access to Google Analytics and the Enpass update servers. Option to disable update and analytics, plus attachment support enabled. Also really pleased that a 3rd part Audit is planned (maybe use Travis Ormandy from Google? He seems to be quite effective) . Thank you for these advancements. I have a related question. On my Macbook I have an outgoing firewall, called Little Snitch, that allows me to monitor outgoing communications and be certain nothing is inappropriatly accessing sites in the network/internet. On my ipad and iphone there doesnt seem to be any way to do the same monitoring. How would …

I would like to make a simple observation. To create or open a key file, the extension called ".keepasskey" is mandatory. In fact you cannot choose or create a different extension. For this reason it is very easy for an attacker to locate the enpass key file. For this reason, to keep it archived I have to rename it, and then when I need it I have to rename it again by adding the ".keepasskey" extension. Wouldn't it be a good idea to be able to create and open the file without the extension?

Hello. When I started using enpass back in early 2019, I was choosing password managers from countries (India) that are not: The '5-Eyes': The US, the UK, Canada, New Zealand and Australia The '9-Eyes': The '5-Eyes' group plus Denmark, Norway, the Netherlands and France The '14-Eyes': The two above groups plus Germany, Sweden, Belgium, Spain, and Italy https://protonvpn.com/blog/5-eyes-global-surveillance/ Now I see that your company is already from the USA, and besides, the program is completely closed source. After the change of country to the United States, the confidence in you has become less and less and I can no longer trust my data to…

Autolock always worked fine in version 5 desktop, but it's not locking in version 6. The only option that I always have unticked is Settings > Security > Autolock When: "Main Windows Is Closed". Those settings worked fine in version 5, but not in version 6.

What about autospill vulnerability?

Hi ! Enpass looks nice. It's full of features. Of course, it makes me willing to use it. As I noticed for some software companies that spending time in developing features is a natural marketing constraint to catch more customers, it pushes security concerns to second priority. Then, I'd like to make my mind about and try to assess how good behaves your password generator ( that is one of the secure component that everybody can understand ) A simple test: measure the occurence of consecutive characters. with a simple setup (only numbers) : probability of having 2 consecutive number is below 1% for length=10 but statistics (I have tried …

Hello i wonder if there is a opportunity to integrate to backup Enpass to proton drive Kind regards

When creating a back up to a folder on my Mac, the backup files are defaulting to Word docs. I recently tried to open a backup as a word doc just to test if any data would be displayed, but now all backups default as word docs. They do not actually open using word, so no data is displayed. And as a test I created a new vault using a backup word file and everything imported fine. Does is matter if the backups are defaulting as a word document, or should this be changed to something else for security reasons?

Please bring the option to disable the inline autofill completely from the Enpass, as a security feature! One of reasons I've chosen enpass is the separation between the agent and browser. I can configure enpass, so browser never has any access to my passwords without my knowledge, which prevents any 0-click malicious extensions from stealing my passwords. With new inline autofill this feature is lost. I can either completely disable browser integration or have it done in less secure way it was previously. As the "old way" of filling passwords still works, please give us the option to completely disable the new way from the enpass itself, so browser extension ca…

Hi, I think that it would be important for us, customer, to understand what's your business model. As a security app, we should be able to know how would you work? So How can you make money on your app? Do you work like keepass, you have other jobs and do that as a side job (which is absolutely not a problem if there is not conflict of interest)? If you were a european company, 9 euros for only buy once the mobile app would be really not enough to survive for that big of a team. How can we trust a company that we don't know how do they make money? Especially with the problems with facebook etc. Any attempt to levitate this subject won't be very good for y…

I have posted the post twice，please delete this post thank u