Leaderboard

I talked with a colleague about password managers and he suggested 1Password. On the website of 1Password I saw on the "Tour" site (https://1password.com/tour/) some features of 1Password. One feature is very interesting and increasing the security: They show which sites in your vault support TOTP but the user has not set up TOTP. Here is a screenshot from the 1Password site: Suggestion In Enpass add the entry "Missing TOTP" in the section "Password Audit". Here you should show all password entries, where TOTP is possible but not set up by the user. Here is a list of services that support TOTP: https://twofactorauth.org/ We had a Doxxing scandal in Germany where a young guy published many private information stolen from accounts of German politicians and German celebrities. This guy was able to steal the data because the accounts used very weak passwords (like 123456) and were not secured with TOTP. So this feature increases the security a lot!

Hey @7Bit Could you please try re-enabling Open Automatically at System Startup in Enpass General settings and let me know if the problem persists. Thanks!

I've been following Enpass for a while but have never seen a need to comment on the forum since I was waiting for a security audit before purchasing. I work in this area and I want to clarify a few things on here: First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard. You're unlikely to going to find someone who is going to declare something secure and take ownership of any vulnerabilities that are found. By their nature any audits are going to be limited in time and have disclaimers. A two week audit by two people is quite expensive but is still best effort. Windows was audited for years by a multitude of people before being released, yet they still had a bunch of vulnerabilities. That being said, from my experience a two person two-week audit is probably enough for a smaller project like this if you exclude the open source software that it uses - and given the concerns people have being due to the software being closed source, that's probably fair. There's no point in spending two weeks auditing SQLCipher when people are worried about Enpass itself. Now I do have some concerns with respect to the audit. There seems to be very little information about what they tested - if anything - other than trying to extract the master password in a variety of ways. Did they look for potential memory corruption vulnerabilities? Did they test the "password sharing" feature that is new and is an obvious point of attack. Did they test the browser plugins, which are another possible attack vector? They mention looking at restoring databases, that's definitely an area of attack: say you store a less important database in the cloud, could it be used to compromise the application when it opens this database (possibly this vecotr only affects SQLCipher so it may have been out of scope)? Did they consider these attack vectors or were they only looking for master password issues? From their summary and methodology it seems that they would have, but there is too little information on this. Another concern that I have with the audit is the following: How much time was wasted reverse engineering Enpass v 5.6.9 before the source code was provided for 6? This is less of a concern for Android since Java applications are easily reversible, but they were still looking at older code at the time. How quickly did they get access to the Windows source code? There's a big difference between a one-week source code assessment and a two-week source code assessment. Someone mentioned PCI on this forum, that is only done for payment processing (you can tell by the name Payment Card Industry Data Security Standard). As far as I can tell Enpass does not take payments, they only allow purchases via app stores, thus have no need for PCI. In general PCI is a checklist for minimum standards: do you have a firewall, do you encrypt payment card data at rest and in transmission, etc. That checklist is then verified by an auditor, but it's meant to satisfy the payment processors and says nothing about the security of the software that Sinew produces. That being said, I want to applaud Enpass for making the full report accessible, very few companies would provide the report to their customers in full and would simply say "we've been audited by X".