Data Security

Hello! On some sites on which I am registered there is a 2FA, but they are not in Enpass database. How often is the database updated? How do I add a site to your database? For example, 2FA is implemented on the site https://account.keenetic.com (see screen) but this site is not in the Enpass database...

I did not understand why many passwords are identified as weak by Enpass. For example the password 8castle-5Arms-0seth is considered secure by many dedicated online services such as http://www.passwordmeter.com https://password.kaspersky.com https://howsecureismypassword.net/

Hi there I´m using PIN code on Mac OS (MacBook without Touch ID) in oder to quick unlock enpass app running in the background? I think that the master password is not saved on in Mac, even in ram. This means unlocking with Pin Code doesn´t actually decrypt data in enpass. Technically you can say enpass running in the background and locked with Pin is actually unlocked, right? In case someone gets acess to an unlocked Mac with enpass locked with PIN (instead master passwors): May it be possible that this person (that is is pretty much into IT / has former computer skills) could gain access to data saved in enpass?

This is not welcomed behaviour from you Enpass app !!! deactivate this reading !!! How many data have you collected by this mean ? As many Chinese apps are linked to Chinese government and so were rightly banned, your app also could be linked to Indian government !!! now I will start to lunch a compaign on social media, on tech website etc.

Does Enpass intend to implement 2FA for itself as an second authentication method instead of Keychain It is much easier to use and is less risky as losing access to a 2FA is harder than a keychain

Hey Enpass devs! I just read about a breach with a manager called "Passwordstate". Apparently their third-party upgrade mechanism injected malware into the update and now thousands of users had their passwords and other info stolen directly out of their managers. Talk about a nightmare scenario! What does the Enpass updater mechanism look like? Is that maintained by Enpass alone? How secure is the updater scheme? Thanks! My family are all committed Enpass users (multiple screens & PCs).

why are you not encryping or at the very least obfuscating the names of a users cached favicons when this is enabled? I know, the icons are only cached on each device not synced to the cloudproviders, and if your OS content can be read by someone else it cannot be assumed to be secure yadayada. But on a shared- or work-related machine, Im pretty sure a Enpass-user expects the entries to be confidential as well. So if someone has a strange affection to... crows, whatever, there will be a login.ilovecrows.com within %AppData% or the portable directory. If someones has several hundred entries, it gives quite alot intel about that person.. This applies to…

Hi I have recently read an article written by Tavis Ormandy, Link. So I'm curious to know that Enpass have these vulnerabilities or not?. Thanks

Hi everyone, I just stupidily clicked on backup via Wifi and now I have a copy of it on the IP 192.168 etc. I really would love to have a function for remove it from there once I have downloaded once and be sure this happened. Do you know how to do it and how to be sure nobody would access to it? Thanks a lot

Hello guys, I update my passwords on a regular basis and use 2FA where it is available. The most providers of 2FA give you backup codes, i case you can't get into your account. Is there a way to store these backup codes securely? Can I just put them in the notes section? I would like to hide them as dots like the passwords. Will there be a feature like that?

My phone is lost, and I would ideally like to remotely delete the enpass app, or the app data (passwords), IF someone is able to break the app password. Is this possible?

The two that cause me the most concern is your collection of my Apple user ID and name. In the IOS app there is a section entitled: Data Linked to You The following data, which may be collected and linked to your identity, may be used for the following purposes: App Functionality Contact Info Email Address Name Identifiers User ID Device ID Usage Data Product Interaction

I have a very simple setup: 1 vault, 1 PC running enpass wifi server, 1 android phone, 1 ipad. I update enpass data somewhat rarely; the occasional add of a new credential, and changing of existing passwords. I got the wifi sync working just fine, but was wondering if it was a good idea to "pause" the server after syncs, and only enable it when I want to force a sync across devices. This is, of course, less convenient, but am willing to do so if this is more secure. My gut feeling is that it's ok to leave running given that credentials or a QR scan was required for a client to receive data, but thought I would ask anyhow. Thanks in advance for any advice.

I've purchased Enpass for Windows 10 (Windows Store) and also for Android. At work I use the traditional Win32 application. So I started Enpass today at work and updated the application to v6.3 (Win32) and after that I was prompted to register. I did it, but it shows Enpass Lite account now. For more details click on 192.168.8.1

When creating a back up to a folder on my Mac, the backup files are defaulting to Word docs. I recently tried to open a backup as a word doc just to test if any data would be displayed, but now all backups default as word docs. They do not actually open using word, so no data is displayed. And as a test I created a new vault using a backup word file and everything imported fine. Does is matter if the backups are defaulting as a word document, or should this be changed to something else for security reasons?

Hello I would like to know if it is safe to use windows hello to unlock Enpass? Thanks.

Recently something came across my mind. Enpass user manual says that all my data is encrypted using my master password then how come when I switch on biometrics I can open enpass with my fingerprint only?

Hello, I wanted to add OneDrive sync, but I see a strange permissions request: This app would like to: Sign you in and read your profile - totally fine Have full access to the application's folder - totally fine Maintain access to data you have given it access to - fine (even though I don't know, how it will give access to 3rd parties) Edit or delete items in all site collections - what?! Delete or edit all SharePoint and OneDrive data?! (for those who don't know, each SharePoint site is a site collection and Onedrive is part of a SharePoint site)[expanded description: Allow the application to edit or delete documents and list items in all s…

Hey Enpass Team, I recently moved from Dashlane to Enpass and I used cloud sync and use Box.com for that. My question is does the data saved on Box also encrypted?

Please bring the option to disable the inline autofill completely from the Enpass, as a security feature! One of reasons I've chosen enpass is the separation between the agent and browser. I can configure enpass, so browser never has any access to my passwords without my knowledge, which prevents any 0-click malicious extensions from stealing my passwords. With new inline autofill this feature is lost. I can either completely disable browser integration or have it done in less secure way it was previously. As the "old way" of filling passwords still works, please give us the option to completely disable the new way from the enpass itself, so browser extension ca…

EnPass currently has grade E on ToSdr.org for privacy+security which is the same grade of FaceBook! This does not look good for Enpass. https://tosdr.org/en/service/1575 You may want to address any issues or misunderstandings with them!

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM) The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. that's a huge security benefit if you're using Hello anyway IMHO.

So, I had a conversation with our company's CTO - his opinion is you should remember 2 passwords: 1. Password manager's master password 2. Your main email's password (meaning, do not keep your email's password in the vault) His reasoning is the extra layer of security - if a hacker somehow gains access to your vault, they won't be able to reset majority of the accounts (at least the important ones - like bank and stuff) as they don't have the password for your email. Additionally, he doesn't store 2FAs in the password manager and cringes every time i tell him i do store my 2FAs in the PM. His thoughts on this - again, extra security - use a separate ap…

Heya, I’m in the situation with Enpass Vaults across three devices (iPhone, OSX, Windows)I regularly used. For whatever reason, they’re not properly synced. I’d like to consolidate them without loosing anything from any Vault. I learned the hard way (using other password managers), that trusting Import buttons and hoping for the best is a bad idea. Your documentation didn't help me to take action yet. How do I proceed safely without compromising anything? Given I don't know which entries are most recent on which device. Thank you in advance! Ronny

Hello, I am using Enpass with a password and the keyfile, every time I have to enter Enpass I must have the password together with the keyfile, but I have a doubt, it would not be more secure if the keyfile was used only the first time it is installed Enpass? If I have a virus on my computer, it manages to find out the password but does not know the keyfile so enpass cannot be installed on another computer.