Data Security

Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. …

Hi there, i recently moved to a new MacBook with Touch ID. Up to now I always entered my master password and had to plugin my usb device with the keyfile to unlock Enpass. Now I noticed that I can unlock Enpass just using Touch ID. The keyfile is no longer required. How is this possible? This was a totally unexpected behaviour for me. How is this working, I mean the keyfile must be cached/stored somehow to achieve this right? Is it possible to disable this "feature"?

Ich habe einen MacBook Pro mit Touch-ID und macOS Big sur 11.1 Ich habe vor kurzem Enpass Premium gekauft und nun geht das öffnen von Enpass mit Touch-ID nicht mehr. Was mache ich falsch? Danke

When a password is trashed or the password generator history is cleared, what is the mechanism behind this. Is any of it still recoverable? If i clear out the trash, what is the likelyhood of it being recoverable? Are these TMP files being trashed, is it normal DEL procedure?

I've just learned that PBKDF2 encryption is outdated and vulnerable, and Argon2 or bcrypt are now the preferred password hashing implementation in modern password managers. When is Enpass going to upgrade or at least provide the option of using a secure password hasher? Raising the bar on security

I see that Enpass is doing network requests even when I am not storing my vault in a cloud. According to this article Enpass uses internet access for some features. If I disable these features will I still be able to use Enpass? Or do I require to give Enpass network access to ensure my subscription is valid? I really prefer Enpass to not send any data from my device.

Hello, don't really know where to post this, but "Data Security" seems kind of fitting. I recently set up Enpass on my devices to synchronize via a nextcloud-server running on my desktop computer. In doing that, I realized I didn't receive a certificate warning on any of my devices when setting up the synchronization, even though the server is clearly using a self-signed certificate. I'd really appreciate it if I received a warning when setting up synchronization with a server using a self-signed certificate, and maybe even enable some sort of certificate pinning, to make sure my data doesn't end up on another WebDAV server, which happens to be accessible with the same UR…

why are you not encryping or at the very least obfuscating the names of a users cached favicons when this is enabled? I know, the icons are only cached on each device not synced to the cloudproviders, and if your OS content can be read by someone else it cannot be assumed to be secure yadayada. But on a shared- or work-related machine, Im pretty sure a Enpass-user expects the entries to be confidential as well. So if someone has a strange affection to... crows, whatever, there will be a login.ilovecrows.com within %AppData% or the portable directory. If someones has several hundred entries, it gives quite alot intel about that person.. This applies to…

Hi, Am new with enpass and try to understand it bit better. what if: > I'm in a foreign country, i loose everything, laptop, phone etc... 1. So far connect to my email account (I remember the password) then I can get all the information I saved their. I can actually connect to all my account (fb, etc..) 2. If am using Enpass, what can I do? I will log on a public computer but then I can't access to anything? What did I missed? Thanks for you answer.

Hi, If am travelling and I loose my phone or computer. i want to connect to my email adress from a public computer or from a friend or any one else that don't have enpass. What can I do to get my password? thanks.

Hello, not sure if this is the correct forum to address this. Please move it if I chose wrong. Im getting a sync error on my corporate network because our firewall is not allowing enpass to get through. I try to sync with onedrive and i get redirected to onedrive, login and it makes the connection, but still get a sync error. This works as it should when im outside our corporate network so I suspect our firefall settings. I have asked our IT department to do an exempt for Enpass in the proxy but i need to know what url/port we need to whitelist. Anyone who can help me with this? Thanks!

Hi Enpass Team, as you claim everywhere that Enpass is based on SQLCipher, an opensource technology, I decided to look by myself (not that I don't trust you, but i'm curious ;)). So, I installed sqlcipher and opened the database. It was easy to find the right parameters to decrypt the DB: PRAGMA cipher_default_kdf_iter = 24000; PRAGMA kdf_iter = 24000; PRAGMA key = '<PASSPHRASE>'; But now, I can't find where are the passwords. I would have thought they would be in the Cards table in the Data field, but it's obviously not, as (almost) all my Data fields have the same value. The passwords does not seem to be in the other tables. So, where are they? …

Hello dear Community, Now I want to hear from you, where you save your Passwordfiles on the Computer? I had a pretty obvious file, where you could assume that it would be there. Which is pretty dumb obviously. Still I'm not sure which way would be smarter. Put in an any "random" file where no one would suspect it? Oder put in a file with countless other files inside? Do you get what I mean? I'm sorry, if my english is bad .. Best Regards

After using 1Password for a long time, I plan to go back to Enpass, the first password manager I used. This is mainly because multiple vaults are available in the latest Enpass versions. My 1Password account is secured with a master password, secret key and 2FA. At Enpass I will have to use a keyfile to make the vault just as safe. But where can I store my keyfile the best and easiest so that I can access it on any device (Windows, Android smartphone, Chromebook)?

Hi all, I have not found an answer while searching so please forgive me if it is already answered, but I would be interested in knowing which cipher (and library) is used by enpass to encrypt data? Thanks a lot in advance and thanks a lot for that great product. Thomas

Hi, one of the reasons why i preferred Enpass over other password managers like Lastpass and 1password was that the developers just distribute the binary, and everything else like sync and so on was completely in my own hands. No connections to other servers, nothing. This was great, since i believe a password manager should do as little communication as possible. Until now i was very happy with Enpass. But now i have some serious questions about the new favicon feature. The announcement says that Enpass downloads it from the developer's server, and you need to enable the feature on each client separately, so i assume each client downloads the favicons separat…

I am a big fan of Enpass in China. However, I find Enpass take so much CPU time and send/receive so much traffic through internet. As a password manager app, I believe it do not need use CPU so often, or it do not need to send traffic so much.

The two that cause me the most concern is your collection of my Apple user ID and name. In the IOS app there is a section entitled: Data Linked to You The following data, which may be collected and linked to your identity, may be used for the following purposes: App Functionality Contact Info Email Address Name Identifiers User ID Device ID Usage Data Product Interaction

I have a very simple setup: 1 vault, 1 PC running enpass wifi server, 1 android phone, 1 ipad. I update enpass data somewhat rarely; the occasional add of a new credential, and changing of existing passwords. I got the wifi sync working just fine, but was wondering if it was a good idea to "pause" the server after syncs, and only enable it when I want to force a sync across devices. This is, of course, less convenient, but am willing to do so if this is more secure. My gut feeling is that it's ok to leave running given that credentials or a QR scan was required for a client to receive data, but thought I would ask anyhow. Thanks in advance for any advice.

Hello I would like to know if it is safe to use windows hello to unlock Enpass? Thanks.

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM) The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. that's a huge security benefit if you're using Hello anyway IMHO.

I have just started using enpass and I love it, mostly because of its compatibility with Windows Hello facial recognition. Now I noticed that, when facial recognition does not work, you are able to log in using your Windows Hello PIN. I can imagine this undermines security quite a bit, since my PIN is much easier to break than my master password. So would it not be better to ask for the master password, whenever facial recognition is failing?

I'm curious... how wise is it to store so much of one's information.. like bank account info, payment and identification information... On one hand, if you have all your logins stored in here... most of that stuff is available through that... so is it any worse to store it outright? I mean, if someone gets a hold of your database and cracks it, it's kinda over isn't it?

Hi, i have lost an entry in Enpass during access of an Website accidental. Now i ask me (better you) if it is possible to open the Database only readable to avoid such a failure. Writing only after after a second login, or something like that. Frank

EnPass currently has grade E on ToSdr.org for privacy+security which is the same grade of FaceBook! This does not look good for Enpass. https://tosdr.org/en/service/1575 You may want to address any issues or misunderstandings with them!