Leaderboard

Here is the email I sent support. I'd love some community feedback and support feedback: I have a Nexus 6P running Android 7.1.1. The following are my bugs and requests: 1. SECURITY BUG: Rebooting the phone does not cause Enpass to require the Master Password to unlock the app. I can use a fingerprint. Even after fingerprint is locked out for 5 bad tries and the Master Password is then required, if I reboot the phone, I do NOT need to enter the Master password, i can use my fingerprint. That's a security risk. UPDATE: An EVEN WORSE SECURITY RISK is that if you get the fingerprint wrong 5 times, and it requires the Master Password, you can simply go to Android settings --> Apps --> Enpass and FORCE CLOSE the app, start it again and it will accept your fingerprint again. THAT'S HUGELY WRONG! This is EXACTLY why the first load of the app MUST ALWAYS require the Master Password which it DOES NOT do right now. 2. SECURITY BUG: When entering Master Password on Android for the first time after installing the app (in order to sync the database), the typed characters show up on the keyboard prediction bar, which means that text entry field is NOT coded as a password field (which would not show the characters in the keyboard prediction box). It's just an obfuscated normal text. Some keyboards automatically saved typed words or entries. Or someone may be peeking and see the entire password typed out in the keyboard box even if it's obscured in the field. 3. USABILITY BUG: I have notification form-filling turned on, and when I'm browsing in my chrome based Brave browser, Enpass NEVER recognizes the domain of the page i'm currently on. It always says brave.com. And after I search for my login info and select the right one, before it fills is asks if I want to add brave.com to my list of URLs for that account. So either Brave browser is not letting Enpass know what the domain is, or Enpass is not pulling that information correctly from Brave. I know it works with Chrome, but not Brave. 4. USABILITY BUG: There is no way to auto-add a new login account to the Enpass database, as there is with the desktop version and browser extension. This is really crappy and inconvenient. 5. FEATURE REQUEST: Make a view that shows only the TOTP codes for the accounts that have it, which is clear and easily accessible and visible, just like Google Authenticator or Authy. It just occurred to me that it is pointless to have TOTP on the same database as the passwords. Defeats the purpose of 2 Factor Authentication entirely. 6. FEATURE REQUEST: When entering Master Password, especially on Mobile where mistakes are easy, but also on desktop, make a peek button that allows the user to see what they've typed so if there is a typo, you don't have to start over again with very long passwords. It wouldn't have to stay visible, but a button that when you are actively pressing it, the characters are visible, and when you let go, they are obfuscated again, so a quick tap gives a quick and secure peek. This would be SUPER helpful. 7. FEATURE REQUEST: Allow for files, images, etc. to be included in entries. 8. FEATURE REQUEST: Allow for line breaks in the TEXT field (different from the NOTES field). 9. FEATURE REQUEST: Allow type SECURE NOTE and the NOTE field to be obfuscated (hidden). 10. FEATURE REQUEST: Allow for a toggle to not ask whether a certain domain should be added to the URL list for the account (which it ALWAYS does using the Brave browser on Android). 11. INTERFACE BUG: When I long press on an account, it shows the DELETE option but not the COPY USERNAME option. When I tap on the overflow button for the account (three dots to the right) it does not show the DELETE option and does show the COPY USERNAME option. But all the other options are the same. This is inconsistent and they should probably be identical. Thank you for the app, I've enjoyed using it so far and I see a lot of great potential. Well worth the purchase price. But PLEASE address the security flaws immediately.

Some sites have rules on which special characters can be used in their password. They also require special character in the password. I don't see a way to select which characters are used, so I have to keep refreshing until I get an acceptable password or use another generator.