Leaderboard

Hi @sxc4567 I can understand the risks associated with this unfortunate situation. We use both mlock (to exclude memory from swap) and madvice (to exclude memory from dumps) for critical memory allocations. Please read this old reply to understand how much of the sensitive data is available in memory as plain text at a given time and how memory sanitization works in Enpass. We are continuously working to improve the security of Enpass and prioritized a memory sanitization review task to specifically handle this situation. Regards,

Thanks @Ivarson. You are 100% right here. @sxc4567PIN locking is a convenience feature and only restricts app access. It does not close the underlaying SQLCipher database handle and an unencrypted database page may still be there in process memory. However, there is an additional level of encryption for the stored passwords with a per item obfuscation key to prevent direct visibility in memory for this case. Though, an attacker with advanced skills can still find the obfuscation keys and decrypt it. Locking with master password is the safest option for Linux as it will close all underlying resources too. Cheers:)

So, seeing as your response has changed from “Q2 2022” to “no ETA” in the span of 4 months, and there’s no M1 native version being tested in TestFlight even though we’re halfway through Q2, is it safe to assume that the M1 native version isn’t coming anytime soon? I’m about ready to jump ship over this issue. Enpass is literally the only app I use regularly that hasn’t transitioned yet, and it’s completely unacceptable. It has been nearly 2 years since the Apple Silicon transition was announced, and 18 months since these machines have been available to consumers. What’s taking so long?

Hi @all We were able to reproduce the bug on our end, due to which this issue is occurring. Our dedicated development team is working on a patch right now, which will be released very soon. Enpass appreciates your patience in the meantime.

Locking Enpass with a PIN active doesn't close the database AFAIK. If you lock it without a PIN being set, then it's closed properly. In Windows when Full-time TPM support is active, I believe the database is locked properly due to TPM handling the key rather than Enpass itself. I could be wrong though.

Hi @all, Thank you for your understanding. We apologize for any inconvenience caused by this matter. We were able to reproduce the problem on our end, due to which Dropbox authentication is frequently required. Our tech team is working on resolving this issue and a fix will be implemented shortly. Please bear with us while we get this resolved. Appreciate your patience and support in the interim. #SI-2785

This really is the core of the issue for me. Running through Rosetta hasn't had an impact on performance, and I haven't noticed a hit to battery. In a vacuum, this wouldn't be a problem, I knew what I signed up for when I got a first generation product. But this is a password manager. It's one of the few applications where fast, timely updates are very important. If there's an exploit in the future, should we just expect our data to be exposed for 2+ years while you guys wrangle your code gremlins? I've worked with Qt before, and quite frankly, I would be mortified if it took me 10 months (since Qt 6.2 was released) to integrate upstream changes. I can't imagine looking my boss in the eye and telling him that the reason something this fundamental is taking so long is because of some deprecations. Qt is a UI framework, it really shouldn't be taking this long to handle a few deprecations. I don't buy the excuse that it's truly taking this long to update your UI, and I don't even want to imagine what hell-spawn spaghetti code you're working with where some deprecations in a UI framework requires a total rework of your codebase.

I totally agree with @dahliamma and @pitchblack It is totally unaceptable that two years later, in most cases, this is the only not native application that we are running. You say in the recent release: I CAN'T beleive that your developers have released a BIG update without native support. The password manager perhaps is the most importan app in a computer (at least in my case). Is this a reliable company to trust my most precious data? I'm not sure.

I just tried this on macOS Monterey with the store version of 6.8.0 and I was able to copy things out of notes via the keyboard shortcut and also by right clicking on the selection and choosing Copy. I tried via the menu bar assistant and that worked, too. Can you provide more information about your setup and macOS version? It will be hard for them to fix something if they can’t figure out how to replicate it.

Thanks. I'm using Windows so that's why it didn't ring a bell.

Hi @all Enpass greatly appreciates your patience while we worked on fixing the bug. We have released Enpass beta website version for Windows (ver 6.8.1), which addresses the re-authentication issue for Dropbox. Please try out the beta version from here and share your findings with us.

There is another topic asking for SSH Agent support. Unfortunately, the topic has been already closed without further information whether this will be implemented or not. I would really love to have SSH Agent support in Enpass. My expected behavior of this implementation would be Enpass asking me to unlock the Vault once an SSH Agent request is made (just like auto fill in the browser extension) and then accepting the SSH Agent connection. Is this on the list to be implemented?

Manish, thx for that info. I'm aware that I can order items by dragging that menu icon. However, what if I had a number of items that I'd like to drag as one group? Eg have "Contact Details" before "Home Address"?

Hi @Manish Chokwal At this time Enpass do not display an new version. It is installed 6.8.0 (Build 1059)

thank you. if you do plan to continue push "Enpass-related news" straight into the app, please at least introduce another option in Enpass where users can opt out of such overhad. IMHO such content shouldn't exist in the precious memory-space of Enpass at all, use _any_ and _all_ other channels. thanks for hearing me out and keep up the good work

Hi @Vinod Kumar, Thank you very much for your reply. I have to say, this sounds really excellent! I read through the linked thread as well; do I understand correctly that, so long as Enpass is locked (for example at the PIN prompt), there is very little risk of data leakage through memory - aside perhaps from UI libraries that are extremely difficult to control anyway?

Thank you for the update.

Hi Gulshan Thanks for the reply and good advice. I only just 10 minutes ago got it working on my IPhone. I ended up uninstalling it on my IPhone and reinstalled Enpass and I was able to put in a Master Pasword. I'll have to watch youtube videos in regard to using it and my son is using it so can get some help there. I'll have to sort it out now on my Windows 10 PC. All good for now and hopefully I'll understand how to use Enpass soon. Thanks again. Col

Hi @SophiaB Thank you for trying the steps I shared with you. I have forwarded this concern to our dedicated testing team. As soon as they update me regarding this matter, I will be sure to notify you. Thanks for your patience in the interim. #SI-2829

Hello @Ivarson We understand where you are coming from and your concern. Over the last few years, we have received various requests from our users for a Business version of Enpass(to improve the overall security posture of their business), its availability, and our upcoming plans regarding the same. As a result of these requests and suggestions/feedbacks from our B2C customers, working in various organizations, Enpass was able to develop a business version. Hence, for a lot of our existing B2C users, the Business version was long overdue. Therefore, we saw it befitting to announce to our user community that the Enpass Business is out and they can spread the word among their organization. Furthermore, we only plan to send out “Enpass-related news or security-related news” through our app. However, having said that, the last thing we want our users to feel is that Enpass is being intrusive. Although we do plan to reach out to users through email, we felt that we would be able to cater a larger audience via our app notifications. Enpass apologizes for the inconvenience once again and will do its best to ensure that its customers have the best experience a password manager can offer, including reviewing our policies on using notifications inside the app.

There's more of us, and it happens on iCloud sync too. We're chatting in the cloud sync forum:

Yea will do!

I can't believe this still hasn't been addressed. I've been a big Enpass fan until now. I've patiently waited months only to have this clearly serious and widely user affecting bug ignored. I'm going to spend the weekend looking for a new password service.

I've went through all those steps. We'll see how it holds up. Hopefull that solves the problem. Many thanks!

The fact that there is still no native M1 app is unprofessional. Enpass is now only one of the few apps in the Mac infrastructure that is not silicon ready. Time to change, your poor performance is annoying. Apparently you don't need happy users. Do you only employ a handful of developers?

Ditto! Similar behavior for me as well.

Hi @Dani, Thanks for reaching out to us. For quick troubleshooting please follow the below-mentioned steps and share your findings with me. Make sure to take the complete backup of Enpass data and save it locally(in the device which has all the Enpass data saved). Disconnect the sync from all devices that are synced with drop box. Open Dropbox on any browser on your device --> Go to App --> Enpass folder--> Vault.enpassdbsync --> Rename it as Old vault.enpassdbsync. Now open Enpass and connect with Dropbox Sync on all devices.

Hi @Fadi, Thank you for reaching out to us. I would like to share that I have duly noted your feedback and it has been forwarded to the concerned team for further consideration. #SI-2719

As far as i know enpass is perfect just without few bugs (if there are any) which enpass team fix but there is a feature which i miss in enpass. Which is PGP Features like few other password managers have. I think adding pgp to enpass will complete it's needs as one stop shop for most required security features. People like me use pgp daily and many people are getting aware of encryption using pgp so i think it is a great feature to have in a great password manager.

Enpass became aware of a critical remote code execution log4j vulnerability (CVE-2021-44228 194) on Friday 2021-12-10. We do not use Java in our product stack except Android app (log4j not being used). Hence, Enpass is not affected by this vulnerability.

Hi @Pratyush Sharma, Thank you for reverting. I'm currently using MacBook Pro and OS is Big Sur 11.1 and Enpass version is 6.5.2(726). I'm also using Enpass on iPad Pro and Samsung Galaxy S9, but mainly I'm looking for this feature in the desktop version. While implementing the "Save Webform" feature, kindly requesting you to have "Add / Edit Custom Fields" and rearranging / sorting feature also as displayed in the screenshots below. I've gone through couple of Password Managers yesterday. I've included couple of screenshots of this feature implemented in Lastpass, Bitwarden and Zoho Vault. Please have a look. Should you require any further feedback, please let me know.

Hi @Phylum, Sorry for the late response. Let me assert that, severity of this kind of attack is low, given the nature of the permissions, attacker requires to exploit it. This attack is only possible on a compromised system where an arbitrary process can read other process' memory and process memory protection is operating system's responsibility. A password manager or another user-space process can't defend against such attacks. However, we have taken some steps to mitigate this kind of attack. This was one of the reasons to rewrite Enpass 6 entirely with a new, robust architecture. Please check the Security Audit report where this issue appeared and resolution was provided by us (page 5). Enpass is composed of two parts, Core and UI. The Core part is entirely in C++ and we have done extensive memory sanitization there. Almost always, UI part is responsible for leaking secrets because once an item is displayed in UI, we don't have control over its internal UI buffers. We have to depend upon garbage collector of framework/language to finish the work. One possible solution is to create custom controls for everything related to password and here is what we have done in various scenarios: Master password is always scrubbed just after unlocking your database or usage on any other screen. Our custom editor control for master password input ensures this. You will almost never find a trace of master password in memory. Only the password, you are currently interacting is loaded into memory and scrubbed after its usage. The UI control to view a password is a custom control. Editing passwords - This is the only time we use stock UI control to edit item password. For better user experience, we are not using the same custom control we use for master password. This password may or may not be found in the dump depending upon when it was freed by framework. Security is an ongoing process and we continuously improving our software in every aspect, memory sanitization being one of them. We are working on bringing in custom controls in more leakage points. Thanks.

Same/similar issue with Enpass 6.8.0 on Mac (OS 12.3.1 Monterey), iPhone (iOS 15.5) or Windows 10. Old previously authorized and sync'd vaults (created by earlier versions of Enpass) synchronize OK, but new vaults cannot be sync'd to the server via v.6.8.0 running on any of the platforms. I suspect the issue is relaying the username or the password (probably the latter) to the server. This happens with WebDAV running on Synology DS418 on DSM 7.1 and WebDAV Server 2.4.3; downgrading the server did not help. Synology troubleshooting could not find anything wrong with the server and in any case the WebDAV server could be successfully logged in via CyberDuck. Downgrading Enpass to v.6.7.4 solved the issue on the Mac. Unfortunately, the iOS app can no longer be downgraded and the issue persist on the iOS (iPhone). I'm wondering if Enpass can make the previous version of the iOS app available as a temporary workaround.

While we understand your concern @dahliamma, Enpass would like to assure all that our developers are working on it and the launch of Enpass native macOS app is getting delayed due to extensive migration(as mentioned above). However, we would again confirm that Enpass will be available for macOS natively very shortly. Looking forward to your support and patience.

Hello, Glad to know I am not the only one with this behavior. I submitted some info on my WebDav config to help the team find the issue. We cross finger for next one. BR