Data Security

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. Here's what happened On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as…

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team. Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product? Thanks, Gili

Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers: https://marektoth.com/blog/dom-based-extension-clickjacking/ Is this now fixed in all Enpass Browser Extensions? This is only mentioned in the release notes for the Chrome Extension (6.11.6): „Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)“

I do not want to save all my passwords in the Enpass application because it's not open source. I like that it looks great on linux, android and ios. I'd happy to pay for the apps. But how can I be sure, that it does everything right?

Hello, I am relatively new to Enpass, I noticed, that after reboot, I can use the PIN to access my fault. How can this be secure? This means that the Masterpassword is stored locally on the flash memory. This and the fact, that there have never been an security audit for iOS really worries me. Can someone explain to me, how this might possibly secure? I have a feeling, that the reason, why there is no security audit is, that they know, that there is no way there application passes the audit.

I have read that the Enpass database is stored in /home/documents but that is not true. I have installed version 6 in Ubuntu 18.04, and have 4 logins stored in Enpass, but my documents folder is empty. So please tell me where to find it.

Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. …

Maybe it has already discussed but I try to understand why Enpass is more secure than "online" password manager. I need to sync my accounts to more than one device. So i decided to do that via WebDAV on my personal synology NAS system which is only reachable from the internet via VPN. But however, I think my home is not as secure as a data center like from amazon. So, if my nas gets stolen, it may be possible to get the encrypted database file with the passwords in a more easy way then to break into the data centers used by online password manager. The same is for backup on other external drives. So what is the real different? A hacker cannot login to my a…

Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more?

Please see this post which I found which is very similar to my questions: https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241 They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list: https://www.passwordmonster.com/ https://nordpass.com/secure-password/ https://bitwarden.com/password-strength/ The answer in that other post was the following: "Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass estimates strength of a passwor…

Apple has announced that "beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple. If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again" I am unclear if this impacts Enpass. Can you advise: Is Enpass impacted? If so will Enpass support a means of entering an App Specific Password before June 15? Thanks

Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

I've been playing around with the HxD editor today, and it has a nice built in feature that lets you view the memory of another process. This gave me the idea to check whether Enpass was exposing your sensitive information in memory. I opened up the running Enpass process in HxD, and did a simple string search for one of my passwords. Surprisingly, I was able to find multiple occurrences of my password stored as a raw string in memory, even while Enpass was locked (without PIN enabled). I was also able to find secure notes, usernames, TOTPs, and other sensitive information that I was not even accessing in the Enpass window. I tried finding many different entries, and one …

Hi, I have been a user of Enpass since the Windows Phone days. Purchased a licence back then and used to sync to my OneDrive. After being forced to move to Android, I again purchased an Android licence to have my passwords synced between my PC and my Android device. I recently noticed while setting the app up on a new phone that the permissions requested to access OneDrive seem to have increased since the last time I went though the exercise. Enpass needs your permission to: 1. Sign in automatically Signing in with your Microsoft account will automatically sign you in to this app. …

I would like to increase the number of PBKDF2 iterations used.

I have used Enpass for 5 years and open it regularly. I've never changed my Master Password. Overnight it stopped working. I'm on a Mac laptop using OS Monterey 12.31 I have read that this has happened to others. Advice appreciated

So I made an account quickly to ask if the same thing also the issue with Enpass. Via Dutch website www.tweakers.net and on www.nu.nl newsarticles today have been published about Lastpass big privacy leaks. Apparently there were two and luckily Lastpass has fixed them both within a day, but is it the same with Enpass? Does the team even know about it and are they working on it to find out if the same is the case? Links here: https://tweakers.net/nieuws/114017/google-onderzoeker-vindt-op-afstand-te-gebruiken-lek-in-lastpass.html https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ https://twitter.com/taviso …

I ran across an interesting article about some other well-known password managers out there, like 1Password, KeePass, DashLane & LastPass. https://www.securityevaluators.com/casestudies/password-manager-hacking/ If that's too technical, read ZDNet's summary on this article: https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/ While I was pleased Enpass wasn't on the list, I suspect it might be due to lack of significant market share like some of the other products. But I'm also very curious about the steps Enpass is taking to have independent third-parties pen-test the product. EDIT: I should have lo…

Please add the option for user selectable rounds. 24000 is WAY too low, and people should be able to increase it, regardless of the time-cost to access the data. This should be a user defined field in all applications, even if it's hidden behind an "advanced" tab.

So Enpass is an offline password manager. But if you decide to sync your data, you have to use the cloud because you can't use Wi-Fi sync. I have to store my container on services like iCloud or Google, Dropbox if I want to access it from all my devices. Enpass is missing a 2FA. If somebody is able to access my cloud or hack the service I‘m using, he can steal my container. Enpass only offers a master password and nothing else. It can be hacked more easy than having a second factor. Any plans on adding such a feature in the future?

Along with open sourcing, external audits which has already been asked for, i'd really like to be able to opt out of google analytics and (other?) tracking mechanism. this is a password vault, it feels sorta creepy

After using 1Password for a long time, I plan to go back to Enpass, the first password manager I used. This is mainly because multiple vaults are available in the latest Enpass versions. My 1Password account is secured with a master password, secret key and 2FA. At Enpass I will have to use a keyfile to make the vault just as safe. But where can I store my keyfile the best and easiest so that I can access it on any device (Windows, Android smartphone, Chromebook)?

Hello, I want to buy Enpass Premium, to be able to have multiple faults. My Question is, is it possible, not to store the password of the secondary vault in the primary vault? I don't need any auto unlock features. Entering the password every time, is perfectly fine. This page indicates this is default: "When you create multiple vaults, the passwords of other vaults are stored securely in the Primary vault and are removed when you delete the vault. That’s why when you unlock Enpass, all the vaults get unlocked automatically." - https://www.enpass.io/docs/manual-desktop/vault.html#vaults-in-enpass Can this be changed? I need different faults for …

Hello: I have checked my mobile connections and I have seen that Enpass has connected to an Amazon AWS related IP in Ireland. I would like to know if it is normal and if Enpass works with these servers. Thank you.

Does Enpass ensure that a corrupted database is not synced to the cloud? I want to be sure what happens in the worst case and if my database is corrupted somehow having that broken database synced to the cloud and thus overwrite a good version would be really bad. Since I can only sync to one cloud provider I'd have no way back in this case.