Leaderboard

Hello, I am using Enpass 6 and tomorrow I have to use an other computer (just for this day) where I can not install any applications. Is Enpass 6 also available as portable application? Where can I download it? Best regards OLLI

Hey guys, Thanks for sharing the details. I have noted down this issue in the tracker and notified the dev team to look into it. Till then please co-operate with us.

Same problem with Linux Mint 19.1 Cinnamon and Enpass 6.0.4 (281)

Hey guys, Thanks for writing back. I have notified the dev team to look into it. Thanks for your co-operation.

I'm using Enpass 6 on Linux with Google Chrome (unstable). On some websites, auto filling the login form results in filling in the form and reloading the page instead of posting the form. Opening the same page on a new tab temporarily solves the issue but after some time it occurs again. I'm not sure whether this is an issue with the Enpass extension or Chrome. I also did some debugging: There is no POST request (which is done when submitting the same login form on another tab). The page is simply reloaded. Auto filling in an entry stored for another page results in filling in the user and password from the other page and then loading the other page (e.g. I'm on page A, select an entry for page B from Enpass to auto fill, username and password from page B is autofilled (without submitting the login form) and then the URL of page B is loaded)

First I noticed you can't search for a credit card number as the contents for searching in fields is broken. And now I discover you have completely removed the feature for restoring a back up from one device to another over the local network. This is the main reason I purchased enpass! Calling this your best upgrade ever is a load of Cr•p! How can I go back to the previous version?

Anshu, I haven't been able to replicate the issue with any sort of consistency, but I will start taking notes today. Thank you for your concern!

Hey @david, I'll happy to forward your feedback to the concerned desk for further improvement. Cheers!

Every now and then a site has more "form fields" than just username and password. For example, a site I log into several times per day has an extra field called Company, after that comes username and password. If I add a field in my template for that site, there's no way to choose a format that will actually fill in that field on the page. Checking the site, the field is called "SystemName" in the code. I was hoping to be able to add SystemName as a special template so I just purchased the "pro features" in the app store because I thought that custom templates etc would be of use in this case. but what I see I need is something like "custom form fields" or something like that. Especially for me, this is something that I come across on a daily basis in my work where I need to rely on the web browsers saved forms to fill in the rest (which I obviously can but it's difficult if I'm on my phone or if I happen to open a different browser etc..). I wish this would be added in enpass. I hope my explanation was descent.. =)

Hey @7Bit Could you please try re-enabling Open Automatically at System Startup in Enpass General settings and let me know if the problem persists. Thanks!

I talked with a colleague about password managers and he suggested 1Password. On the website of 1Password I saw on the "Tour" site (https://1password.com/tour/) some features of 1Password. One feature is very interesting and increasing the security: They show which sites in your vault support TOTP but the user has not set up TOTP. Here is a screenshot from the 1Password site: Suggestion In Enpass add the entry "Missing TOTP" in the section "Password Audit". Here you should show all password entries, where TOTP is possible but not set up by the user. Here is a list of services that support TOTP: https://twofactorauth.org/ We had a Doxxing scandal in Germany where a young guy published many private information stolen from accounts of German politicians and German celebrities. This guy was able to steal the data because the accounts used very weak passwords (like 123456) and were not secured with TOTP. So this feature increases the security a lot!

Hello, I read in a computer magazine that there is a new Browser Extension for Google Chrome called Password Checkup https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno When I sign into websites this extensions checks if the password that I have entered is pwned . Then a message box is shown telling me if the password was pwned (message box is red) or if my password is still safe (message box is green). I think it would be useful when Enpass also checks passwords at login. But you should only show a message when the password was pwned. Best regards OLLI

I've been following Enpass for a while but have never seen a need to comment on the forum since I was waiting for a security audit before purchasing. I work in this area and I want to clarify a few things on here: First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard. You're unlikely to going to find someone who is going to declare something secure and take ownership of any vulnerabilities that are found. By their nature any audits are going to be limited in time and have disclaimers. A two week audit by two people is quite expensive but is still best effort. Windows was audited for years by a multitude of people before being released, yet they still had a bunch of vulnerabilities. That being said, from my experience a two person two-week audit is probably enough for a smaller project like this if you exclude the open source software that it uses - and given the concerns people have being due to the software being closed source, that's probably fair. There's no point in spending two weeks auditing SQLCipher when people are worried about Enpass itself. Now I do have some concerns with respect to the audit. There seems to be very little information about what they tested - if anything - other than trying to extract the master password in a variety of ways. Did they look for potential memory corruption vulnerabilities? Did they test the "password sharing" feature that is new and is an obvious point of attack. Did they test the browser plugins, which are another possible attack vector? They mention looking at restoring databases, that's definitely an area of attack: say you store a less important database in the cloud, could it be used to compromise the application when it opens this database (possibly this vecotr only affects SQLCipher so it may have been out of scope)? Did they consider these attack vectors or were they only looking for master password issues? From their summary and methodology it seems that they would have, but there is too little information on this. Another concern that I have with the audit is the following: How much time was wasted reverse engineering Enpass v 5.6.9 before the source code was provided for 6? This is less of a concern for Android since Java applications are easily reversible, but they were still looking at older code at the time. How quickly did they get access to the Windows source code? There's a big difference between a one-week source code assessment and a two-week source code assessment. Someone mentioned PCI on this forum, that is only done for payment processing (you can tell by the name Payment Card Industry Data Security Standard). As far as I can tell Enpass does not take payments, they only allow purchases via app stores, thus have no need for PCI. In general PCI is a checklist for minimum standards: do you have a firewall, do you encrypt payment card data at rest and in transmission, etc. That checklist is then verified by an auditor, but it's meant to satisfy the payment processors and says nothing about the security of the software that Sinew produces. That being said, I want to applaud Enpass for making the full report accessible, very few companies would provide the report to their customers in full and would simply say "we've been audited by X".

Hey @dvdr, The suggested feature is already in our roadmap and will be available with the subsequent update. Cheers!

I've changed about 70 login passwords for services and websites. One thing I noticed: most of them do not say "you must not use THESE characters" when creating a password, but they say "allowed characters", especially in regard to special characters. So I had to fumble quite a bit to enter all special characters to create a password meeting the ever-changing requirements of the websites/services . So, it really would come in handy, if in password options, the option would be "allowed characters" instead of "do not use the following characters" - or we have a choice of both options. So, we could just copy and paste the "allowed characters" description from the website and make it easy to create a password for the websites/services requirements.

Hemant, Thank you for your response. I don't think anyone is expecting frequent audits. Once a year or every 3 years should be enough. As to the cost... that's the cost of doing business. The primary reason I skipped over this product was because it was both close-sourced and unaudited. Otherwise, I would have purchased a copy. Gili

Completely ignored by devs