Thoughts?

@Fadi Try using Bitwarden offline, to see its impact. That's the fundamental difference between Enpass as offline, and Bitwarden as online password managers. There are 2FA setups, such as AuthLite, that work offline but, they're designed around connecting to a business domain, not one piece of software on a computer. As mentioned, with Bitwarden's desktop software, if a computer is kept offline and the local vault locked, even with 2FA enabled, offline access only requires the password. However, if you log out of that vault, it can now only be unlocked, online, which means the physical vault on your computer, needs access to Bitwarden's servers, for the required authentication. I.e. if Bitwarden's servers are down, you won't be able to get to your passwords. I don't speak for Enpass, but for it to remain a truly offline solution, everything, including additional security layers, must also be offline, otherwise, the end user is no longer in total control of their own password vault. A simple example of that is adding and editing vault entries offline, a task that is second nature to Enpass, Bitwarden's desktop software, offline, is purely a viewer, they're still working on offline editing. There is no right or wrong approach, it's a matter of what works for you, but it's important to understand the pros and cons of both approaches.

@MikDev @Nightangelg @Abhishek Dewan Separate from Enpass' sharing feature, it is possible to export a few entries as a JSON or CSV file. Create a new blank 'exporting' vault, copy only the entries you need to that vault, then export it, as .JSON, or .csv. Once you've created the vault, simply modify as required, to export different entries in the future. Obviously, the exported vault will be unencrypted.

Hello Fadi - 2FA as in TOTP (authenticator app Authy, Aegis etc.) cannot physically be used to add another protective layer to 'any' offline vault file, physically on your computer. Bitwarden is identical in this regard. If someone stole your computer, and you had Bitwarden desktop installed, providing the computer was kept offline, and the thief knew your e-mail and master password, they could open your Bitwarden vault, even if you had set up 2FA on your account. As mentioned in an earlier comment, encrypting the key file on your computer is a way to add another protective layer. In this situation, the thief would need 5 things. 1 - To know your Enpass e-mail, 2 - master password, 3 - the key file location, 4 - to know that the key file was encrypted and 5 - to know the password used to encrypt the key file. Online or offline, without all that information, the Enpass vault would not open, even if they knew your e-mail and master password. Another alternative is to store your key file on a USB stick. Without the USB, the key file would be inaccessible, making it impossible to open the vault, even with the correct e-mail and master password. 2FA as in TOTP (authenticator app) protects online access to files and information, it's not designed to protect physical files, when offline. Stored in your personal cloud, Dropbox, OneDrive etc. your Enpass vault(s) are protected by 2FA, when enabled in your cloud account. It is purely the offline element of Enpass, that a 2FA authenticator app can't protect. For that to change, Enpass would need to be an online password manager. Which comes with a mixture of advantages, and disadvantages. The key disadvantage being, without access to the internet, or if the company's servers are down, an online-only password manager blocks you from accessing your own passwords. I completely understand your thoughts and concerns, but in order to protect offline physical files, the approach itself needs also to be offline. Encrypting the key file or storing it externally are two such methods, and there are likely others. Whether Enpass might consider a hybrid online approach I don't know, but for myself what I value most about Enpass is having complete control of where my vault(s) are stored, enabling 2FA, in each cloud storage location, having a secure, memorable master password and vitally being able to access critical information regardless whether I'm online or offline or whether Enpass' servers might be down. With every password storage set up, regardless the method, it is ultimately the responsibility of the end user to protect that information. Enpass is built as an offline password manager and why it differs from others. If that approach isn't practical for you, then possibly a different online password manager might be more suitable.

If you have a look at this earlier post, there appears to be a current issue syncing with iCloud. As you'll read, Enpass are aware and hoping to resolve the problem. Not ideal I know, but you could as a temporary option use a different cloud, until Enpass resolve it.

@Saint. A possible workaround, to delete an entry's entire password history, is to create a duplicate entry, then delete the original. The created duplicate will start with a blank password history. Just be aware, any file attachments, for that entry, will need to be added back in. The above link in Abhishek Dewan's post, see here, explains how to view the password history, in each app, including Android. As an alternative to your suggestion of an icon, if an entry showed the date of the last password change, alongside the last modified and created dates, you'd know when its password was changed. If the changed date was different to the created date, you'd also know the entry had a password history, saving you having to look in the password history menu. Separate from that, I agree it would be helpful if the password history was editable.

@fadi Just furthering Steve Hansen's comment on Bitwarden. 2FA within Bitwarden, protects purely logging into your online account and database. If you also use Bitwarden's desktop software, the vault file, physically on your computer, is not and cannot be protected via 2FA (TOTP). Only using Bitwarden completely online, (no desktop software or local file), does 2FA, add a layer of protection, to your vault.

As mentioned by Steve Hansen, it's technically not possible to use 2FA (as in TOTP authentication), to secure an encrypted vault, physically stored on your computer. However, if you are concerned about your computer, Enpass vault and master password, falling into the wrong hands, it's possible to add another layer of security, a second factor if you will, to your vault. Add Enpass's key file to your vault, as normal, then use an encryption tool, to encrypt the key file. If Enpass can't find/read the key file, the vault won't open even with the master password. Encryption could be as basic as a password-protected zip, but a more robust set up is via Cryptomator. Create a Cryptomator vault (folder) on your computer, choose an appropriate password, unlock the Cryptomator vault and place your Enpass key file inside the revealed folder. Open Enpass and point it to the new key file location. Cryptomator can be set to a timeout (locking all vaults), or remain open until the computer is shut down. Simply turning your computer off would lock the Cryptomator vault and re-encrypt the key file. On starting the computer, you and or a potential thief, would need, your Enpass master password, and your Cryptomator password, for that vault, to open/decrypt your Enpass vault. Removing the hard drive from your computer wouldn't change anything, it would actually better hide the key file, as it can only be revealed through the Cryptomator app! I've not tested this approach on a mobile phone, but Cryptomator do also have a mobile version of their software. Cryptomator's desktop software is free and open source. In a perfect world, the Enpass desktop software and mobile app would themselves provide the means of encrypting/securing the key file, but the approach I've suggested could be used as of today.

Hi flyingbirds I sync my main vault with one cloud, via the Enpass app, and the auto-generated backup files to a second cloud simply by syncing a custom backup folder. You mentioned you're using filen. As I understand, filen's desktop sync client is being updated to permit the syncing of custom folders. You will then be able to set up your chosen Enpass backup folder as a dedicated filen sync folder. An encrypted backup vault file, together with e-mail, master password and (key file if used), will allow you to restore your vault if your original vault file isn't available. You import the backup file, when setting up Enpass as a new installation.

I noted a similar question was asked back in 2019, so I thought I'd ask in 2022! Android 12 – Enpass app version 6.8.2.666 Having used various login methods on Android, I find Enpass’ keyboard to be about the most consistent. However, haptic feedback is a strong buzzer that can't be altered. Only by disabling haptic feedback globally, can you stop the keyboard buzzing, as the app overrides the phone's own level controls I’d welcome an updated Enpass Android keyboard, with both control over feedback and a more modern design. The FOSS keyboard, OpenBoard, could be an excellent platform for a revised Enpass keyboard. Button design, layout, size and colour are all configurable, it even includes its own clipboard viewer. If this was controlled by Enpass, a user could more easily copy and paste additional items, simplifying form filling, with Enpass clearing the clipboard, as it currently does, after a specified time. Thank you for taking the time to read this and for Enpass’ continued development.

Ivarson - Thank you for your comment. Yes, as you say, there are various advantages to both approaches. The reason I thought one-way, could be more viable, is it wouldn't necessarily require any syncing, as entries are purely shared with multiple vaults. The other advantage of one-way is in a family set-up, it would ensure there can only be one version of a particular entry, while still allowing secondary vaults to create and control their own unique entries. The absolute ideal would be to also have a master list, collating every entry from every vault, giving the account owner an overview of the entire system. Anyway, thanks for your thoughts and here's hoping.

The ability to create multiple vaults is extremely useful, but maintaining identical entries, across several vaults, is time-consuming and or prone to error. As a feature consideration, if every entry copied from the Primary vault, to a secondary vault, could be internally linked, any update made to that entry would automatically update the matching entry in all other vaults. The most flexible, would be two-way syncing where an entry can be updated via any vault, Primary or Secondary. But possibly a more stable approach, would be to treat the Primary vault as the master, so only when an entry is updated via the Primary vault, would it then synchronize that change with the other vaults. With this one-way master vault approach, an entry copied to a secondary vault could be linked or independent. A linked entry would become read only, while an independent entry would be read and write. This would ensure the Primary vault maintained full control over its own updates, while allowing secondary vaults, full control over entries unique to that specific vault. Every linked entry, copied from the Primary vault, would remain part of the Primary vault, not a separate entry. It's a bit like saying, please allow these Primary vault entries to also appear in these secondary vaults. Such a setup would follow Enpass's offline design, with synchronization being within the app itself, and it would also ensure audits were consistent between the different vaults. I hope I’ve explained this reasonably clearly. Enpass is a really powerful tool and with the increasing number of devices and users, within each account, the ability to maintain control becomes even more important. Thank you, once again, for Enpass’ continued development.

flyingbirds - I wasn't replying to your entire post, just to a question you asked. breach/compromised what's the difference? A breach is where hackers have gained access to a database or similar of a website where you hold an account. So your specific details might not have been compromised, but the website itself was, and there's a risk your details were also stolen. A compromised password is a password known to have been obtained by hackers in a website breach. The password might not have been stolen from your account, it could have been an identical password used elsewhere by someone else. The simpler the password, the greater the chance of that being the case. For both a website breach and a compromised password, the recommendation is to change the affected password to ensure the login details, if stolen, are no longer usable. Personally, I'd also recommend changing the e-mail. Once an e-mail is part of a stolen database, spam/malicious e-mails are more likely. Also, part of any log in using that e-mail is now known to hackers.

Increasingly, web accounts are setting minimum periods of inactivity (often as little as 3 months) before an account is considered abandoned and marked for closure. It would be helpful if Enpass allowed a user to add calendar reminders, for each entry. The existing password expiry period feature is useful, and being able to add more general reminders, with a note, would ensure a user never overlooked infrequently used accounts. Setting specific dates would be the most effective, but using the same approach as the password expiry feature would also be helpful. Thank you for Enpass' continued development

Hello Mohit Thank you for your very thorough reply. I reinstalled 6.8.0 late yesterday, and the rotating blue symbol appeared over the Compromised passwords button. This morning, on opening the app, the button has reverted to show 0 as normal. It would seem an initial auto-check either takes far longer than a manual check, or some other checks are taking place, but the app is currently stable and operational, so I will test further. Thank you for considering the feature requests. I look forward to future updates.

Hello Mohit Thank you for replying. In point 1, when you say ‘pending’, do you mean simply items that have not yet been checked against HIBP's database? In point 2, when an item is added or updated is the auto-check of the entire vault or only for the item(s) added/updated? I.e. does the Enpass app, mark an item as ‘checked’ against the current HIBP database? In point 3, how is the Enpass app notified of a HIBP database update? Is the Enpass app requesting that information direct from HIBP, or is the new database stored on your servers, and you tell the Enpass app that an HIBP update has occurred, and the app needs to run a new full vault check? In reply to the issues I faced with 6.8.0, can I ask, when an item is added or modified, and auto-check is enabled, is there supposed to be any visual indication of an HIBP check taking place? Or is the check silent? An HIBP check of a single item takes a matter of seconds, so if the check is ‘silent’, it would behave as I experienced. Only if a password was found to be compromised would a user know a check had taken place. If the check is silent, it would be helpful if the Compromised window of the Audit section gave the date and time of the most recent HIBP checks. That way, a user would know, their password checks were up-to-date. If you could let me know whether the check is supposed to be silent, and if it is, I will reinstall 6.8.0 and run further tests. Thank you once again