Data Security

Hello, I'm using version Enpass 6.8.1.658 In the Password audit section I have 28 supported 2FA web sites. I do not have Google services installed, is there a way to see which web sites these are? Thanks

I've purchased Enpass for Windows 10 (Windows Store) and also for Android. At work I use the traditional Win32 application. So I started Enpass today at work and updated the application to v6.3 (Win32) and after that I was prompted to register. I did it, but it shows Enpass Lite account now. For more details click on 192.168.8.1

I just got a fat, full-screen ad in Enpass about your new Enterprise-plan. How can you justify to push a intrusive ad like that? I understand that you badly want to reach out to existing users, but seriously.. You have Twitter, Facebook, your blog, the forum (with the not-so-used Announcement-section). You also have the emails of all your customers. Have you somewhere promised not to use the emails for offerings and therefor decided to push out this directly to users running and decrypted instances of Enpass? There is an option in Settings - Advanced regarding Notifications. It reads that it's used only for security concerns and respects.. bl…

Heya, I’m in the situation with Enpass Vaults across three devices (iPhone, OSX, Windows)I regularly used. For whatever reason, they’re not properly synced. I’d like to consolidate them without loosing anything from any Vault. I learned the hard way (using other password managers), that trusting Import buttons and hoping for the best is a bad idea. Your documentation didn't help me to take action yet. How do I proceed safely without compromising anything? Given I don't know which entries are most recent on which device. Thank you in advance! Ronny

Does enabling the password generator's "Ambiguous Characters" toggle allow ambiguous characters or disallow ambiguous characters? I believe this toggle should be better labeled so as to prevent confusion. Thanks.

Hi, I have several files with the extension ".enpassattach" and I need to decrypt them. I already have the original master key used to encrypt the vault. Is there any way to decrypt them ? Or re-import them to Enpass again ? Thanks.

So, I had a conversation with our company's CTO - his opinion is you should remember 2 passwords: 1. Password manager's master password 2. Your main email's password (meaning, do not keep your email's password in the vault) His reasoning is the extra layer of security - if a hacker somehow gains access to your vault, they won't be able to reset majority of the accounts (at least the important ones - like bank and stuff) as they don't have the password for your email. Additionally, he doesn't store 2FAs in the password manager and cringes every time i tell him i do store my 2FAs in the PM. His thoughts on this - again, extra security - use a separate ap…

Hello, I would like to know if Enpass automatically deletes the passwords copied in Enpass, if windows 11 and Android keep them memorized it would not be very safe, thanks.

Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more?

Hello, I am using Enpass with a password and the keyfile, every time I have to enter Enpass I must have the password together with the keyfile, but I have a doubt, it would not be more secure if the keyfile was used only the first time it is installed Enpass? If I have a virus on my computer, it manages to find out the password but does not know the keyfile so enpass cannot be installed on another computer.

Hello. When I started using enpass back in early 2019, I was choosing password managers from countries (India) that are not: The '5-Eyes': The US, the UK, Canada, New Zealand and Australia The '9-Eyes': The '5-Eyes' group plus Denmark, Norway, the Netherlands and France The '14-Eyes': The two above groups plus Germany, Sweden, Belgium, Spain, and Italy https://protonvpn.com/blog/5-eyes-global-surveillance/ Now I see that your company is already from the USA, and besides, the program is completely closed source. After the change of country to the United States, the confidence in you has become less and less and I can no longer trust my data to…

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM) The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. that's a huge security benefit if you're using Hello anyway IMHO.

EnPass currently has grade E on ToSdr.org for privacy+security which is the same grade of FaceBook! This does not look good for Enpass. https://tosdr.org/en/service/1575 You may want to address any issues or misunderstandings with them!

Please bring the option to disable the inline autofill completely from the Enpass, as a security feature! One of reasons I've chosen enpass is the separation between the agent and browser. I can configure enpass, so browser never has any access to my passwords without my knowledge, which prevents any 0-click malicious extensions from stealing my passwords. With new inline autofill this feature is lost. I can either completely disable browser integration or have it done in less secure way it was previously. As the "old way" of filling passwords still works, please give us the option to completely disable the new way from the enpass itself, so browser extension ca…

Hey Enpass Team, I recently moved from Dashlane to Enpass and I used cloud sync and use Box.com for that. My question is does the data saved on Box also encrypted?

Hello, I wanted to add OneDrive sync, but I see a strange permissions request: This app would like to: Sign you in and read your profile - totally fine Have full access to the application's folder - totally fine Maintain access to data you have given it access to - fine (even though I don't know, how it will give access to 3rd parties) Edit or delete items in all site collections - what?! Delete or edit all SharePoint and OneDrive data?! (for those who don't know, each SharePoint site is a site collection and Onedrive is part of a SharePoint site)[expanded description: Allow the application to edit or delete documents and list items in all s…

Hello guys, I update my passwords on a regular basis and use 2FA where it is available. The most providers of 2FA give you backup codes, i case you can't get into your account. Is there a way to store these backup codes securely? Can I just put them in the notes section? I would like to hide them as dots like the passwords. Will there be a feature like that?

Recently something came across my mind. Enpass user manual says that all my data is encrypted using my master password then how come when I switch on biometrics I can open enpass with my fingerprint only?

Hello I would like to know if it is safe to use windows hello to unlock Enpass? Thanks.

Does Enpass intend to implement 2FA for itself as an second authentication method instead of Keychain It is much easier to use and is less risky as losing access to a 2FA is harder than a keychain

When creating a back up to a folder on my Mac, the backup files are defaulting to Word docs. I recently tried to open a backup as a word doc just to test if any data would be displayed, but now all backups default as word docs. They do not actually open using word, so no data is displayed. And as a test I created a new vault using a backup word file and everything imported fine. Does is matter if the backups are defaulting as a word document, or should this be changed to something else for security reasons?

I have a very simple setup: 1 vault, 1 PC running enpass wifi server, 1 android phone, 1 ipad. I update enpass data somewhat rarely; the occasional add of a new credential, and changing of existing passwords. I got the wifi sync working just fine, but was wondering if it was a good idea to "pause" the server after syncs, and only enable it when I want to force a sync across devices. This is, of course, less convenient, but am willing to do so if this is more secure. My gut feeling is that it's ok to leave running given that credentials or a QR scan was required for a client to receive data, but thought I would ask anyhow. Thanks in advance for any advice.

The two that cause me the most concern is your collection of my Apple user ID and name. In the IOS app there is a section entitled: Data Linked to You The following data, which may be collected and linked to your identity, may be used for the following purposes: App Functionality Contact Info Email Address Name Identifiers User ID Device ID Usage Data Product Interaction

Hello, I am relatively new to Enpass, I noticed, that after reboot, I can use the PIN to access my fault. How can this be secure? This means that the Masterpassword is stored locally on the flash memory. This and the fact, that there have never been an security audit for iOS really worries me. Can someone explain to me, how this might possibly secure? I have a feeling, that the reason, why there is no security audit is, that they know, that there is no way there application passes the audit.

My phone is lost, and I would ideally like to remotely delete the enpass app, or the app data (passwords), IF someone is able to break the app password. Is this possible?