Leaderboard

Thank you very much. I used the wrong way to use the Microsoft Store. Enpass 6.1.2 (432) has been updated.

Hi @GoodbyeEnpass and @tgcrypt, Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it. Thanks.

Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!

Hi @Daniel-san, Thanks for your message. I really appreciate your awareness about the security of your data. In one sentence, I can say that Enpass is not at all affected with this issue. This link states how the passwords from Lastpass were revealed to unknown websites due to logical bug in using regular expressions, while in Enpass we have used proper function provided in SDK to extract the hostname from URL. QString QUrl::host(ComponentFormattingOptions options = FullyDecoded); When you visit any webpage with the URL say http://www.example.com/login/, and click the Enpass extension icon or press the shortcut key for autofilling, the whole URL is passed to main Desktop App which by using the above function extracts the hostname as www.example.com, from which the domain name would be further extracted as example.com. Now the main Enpass App finds the all matching items for example.com and transmits its icon, Title and subtitle to Enpass-Helper (part of Enpass App and not extension). Enpass-Helper display this information to user and waits for user to select the item for autofilling. (This step is bypassed if the user has requested autofill using shortcut key and only single item exists matching for that domain). Upon selection, the information of selected item is passed from Enpass-Helper to Enpass app which further supplies the username and password to Enpass browser extension. All this communication is secure and happens on localhost about which you can read more here in our user manual. As you can see that most of the work is done in Enpass App itself rather than the extension and we keep updating our desktop App on regular basis, so you can confidently use Enpass and its browser extensions. If you still have any doubts, please feel free to share with us. Cheers and have fun with Enpass! Hemant