Data Security

Earlier this year, we learned about a browser extension vulnerability that could have exposed users to clickjacking. We acted promptly to investigate, patch, and ultimately release a complete fix. Here's what happened On April 7, 2025, security researcher Marek Tóth contacted Enpass to responsibly disclose a clickjacking vulnerability in the Enpass browser extension. Clickjacking is a web-based attack where a malicious site tricks users into clicking something unintended. In this case, a malicious webpage could exploit the vulnerability to trick a user into stealing a credential stored in Enpass by altering the attributes such as…

I've just learned that PBKDF2 encryption is outdated and vulnerable, and Argon2 or bcrypt are now the preferred password hashing implementation in modern password managers. When is Enpass going to upgrade or at least provide the option of using a secure password hasher? Raising the bar on security

Hello: I have checked my mobile connections and I have seen that Enpass has connected to an Amazon AWS related IP in Ireland. I would like to know if it is normal and if Enpass works with these servers. Thank you.

Hello! On some sites on which I am registered there is a 2FA, but they are not in Enpass database. How often is the database updated? How do I add a site to your database? For example, 2FA is implemented on the site https://account.keenetic.com (see screen) but this site is not in the Enpass database...

As a new user I'm realising that sharing vaults isn't easy to configure. I've had one support item open but not really got answers. I thought I'd ask a few basic questions here. As I understand it, I can only have 1 vault per cloud account AND sharing Primary vault isn't allowed. I therefore need to have a second cloud provider and account in order to set up a secondary vault. ie. A different account on the same cloud (eg Dropbox) as the primary vault, is NOT allowed. Are the above statements correct ? If they are, and given I already actively use Dropbox and Onedrive and Icloud - and NEITHER of the accounts are shareable in that my wife ALSO us…

Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers: https://marektoth.com/blog/dom-based-extension-clickjacking/ Is this now fixed in all Enpass Browser Extensions? This is only mentioned in the release notes for the Chrome Extension (6.11.6): „Fixed a clickjacking vulnerability in the extension by preventing popover windows from overlaying the inline menu (Reported by Marek Tóth)“

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team. Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product? Thanks, Gili

Good afternoon, running ClamXav on my newly setup M1 MacBook Air I got the message that Enpass would be infected with Trojan.OSX.Agent. The app was quarantined. To confirm (and as I wasn't sure which version - download or Apple AppStore - I was using) I first downloaded the App from the enpass.io website to get the same result again. Installing Enpass via Apple App Store gave a clean version that wasn't infected as of ClamXav. Kindly check on the supplied version of your website and mitigate the risk for my fellow macOS users.

I'm a Lifetime Pro subscriber since at least 2018. I just started getting a Website Breached alert in the Audit screen for my Secondary vault. I've followed all the links included on both Android and Windows. The android app does show a link to a screen that describes HOW to find more details, like what website is actually causing this alert. But neither Android or Windows will show me that website. Both devices only show me a page that wants me to upgrade to 'Premium'. I would consider upgrading to Premium (although I don't see that I require the benefits that Enpass touts I would get) but since I can't get the website for a single Breach alert, I'm not convinced t…

Dear Enpass Support Team, Thank you for continuously improving Enpass—it's an essential tool I rely on daily. I'd like to suggest adding a feature to disable screenshots and screen recordings in your macOS app by leveraging the NSApplication.shared.isScreenCaptureEnabled property, available since macOS 11 (Big Sur). This feature significantly enhances security and privacy, especially when handling sensitive credentials. Competitors such as Strongbox have already integrated this functionality. Implementing this feature would further strengthen Enpass’s security positioning and offer peace of mind to your users. Thank you very much fo…

I found this video: https://www.youtube.com/watch?v=oWtR8vqbYX4 about polymorphic extension malware (there are also articles written about it). I'm wondering how big or likely a threat this is for using a browser extension for a password manager and if there is anything than can be done to protect yourself, other than not using a g a browser extension for a password manager. Would the trick still work if you only had your extension for a password manager as the only extension on your browser?

Enpass 6.8.4 (1166) is vulnerable to this: https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

i am trying to decide to do my password migration to enpass... Is the following still true? This came from a different website... thank you.. I did another slightly more sophisticated test. I opened the “enpass” process (password manager that I currently use) with HxD ( HxD - Freeware Hex Editor) I copied a password that is this “secret_password” then I blocked enpass and as if by magic the password continues to be stored in the memory of the enpass process even when it is closed. Screenshot 2024-11-25 215729993×561 169 KB After 10 minutes with enpass locked the password continues to remain in unencrypted memory, …

I have exported my standard vault as .json and imported it into a new WEBDAV vault. In the new vault, I noticed that all passkeys are missing. Is this a bug or a feature. Is there a recommendation on how to copy an existing vault into a new vault, e.g. to change the cloud? Thank you for your help. Klaus

I would like to make a simple observation. To create or open a key file, the extension called ".keepasskey" is mandatory. In fact you cannot choose or create a different extension. For this reason it is very easy for an attacker to locate the enpass key file. For this reason, to keep it archived I have to rename it, and then when I need it I have to rename it again by adding the ".keepasskey" extension. Wouldn't it be a good idea to be able to create and open the file without the extension?

I just installed MalwareBytes Firewall Controller and am seeing an attempted outgoing connection to Akamai via a powershell script. Does Enpass use those two technologies?

Please see this post which I found which is very similar to my questions: https://discussion.enpass.io/index.php?/topic/27234-password-strenght/#comment-77241 They list several password checker sites, which all show a password as strong but which Enpass shows as weak. I would add these to the list: https://www.passwordmonster.com/ https://nordpass.com/secure-password/ https://bitwarden.com/password-strength/ The answer in that other post was the following: "Different password strength checkers use different ranges and algorithms to estimate strength of a password. Please go through this link to see how Enpass estimates strength of a passwor…

I see that Enpass is doing network requests even when I am not storing my vault in a cloud. According to this article Enpass uses internet access for some features. If I disable these features will I still be able to use Enpass? Or do I require to give Enpass network access to ensure my subscription is valid? I really prefer Enpass to not send any data from my device.

What version of SQLCipher is Enpass using? Noting 4.2.0 was released today.

.

I use Carbon Copy Cloner to make a backup of my hard drive. The encrypted backup is put in a bank vault for safety. I noticed today that CCC copies the Enpass folder in my Home folder, but the "Backup" and "Vaults" folders on the backup are empty. I can manually drag the files over to the backup drive, but I'm wondering why this is happening. Is there something special about these folders that causes CCC to ignore them? Time Machine seems to copy the Enpass files without issue so this definitely a CCC or Mac OS thing. Thanks!

The Forum is floated by spam messages. If Enpass is not able to add proper spam detection to their forums or at least human supervision that reacts in a time frame distinctly under 24 hours – why should potential customers trust Enpass security if the public representation to user seeking for support is so bad?

So, with Apple announcing it now 'uses new algorithms that cannot be beaten by quantum computers but which can still be run on and protect messages on today’s classical computers.' Should we not be thinking about this for our own password tools now too. If your passwords/notes are stolem now and decoded in 20 years, its still an issue. Thoughts?

The new beta version 6.9.4 for android seems to lock the main app when it is brought to focus (and if the "lock after" has been set), not in the background. I'm seeing my items briefly before enpass lockscreen covers it. So it seems the data is unprotected in the background. The behavior is seen when "Lock on leave" is disabled. If that setting is activated, the locking seems to happen as soon as the app is put to background.

I was surprised that Enpass showed me a prompt to "re-register" via a TOTP sent to my registeration email. What is going on here? Its not like I am logged in a website