Thoughts?
-
Posts
55 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Thoughts?
-
-
@MikDev @Nightangelg @Abhishek Dewan
Separate from Enpass' sharing feature, it is possible to export a few entries as a JSON or CSV file.
Create a new blank 'exporting' vault, copy only the entries you need to that vault, then export it, as .JSON, or .csv. Once you've created the vault, simply modify as required, to export different entries in the future.
Obviously, the exported vault will be unencrypted.
- 1
-
Hello Fadi - 2FA as in TOTP (authenticator app Authy, Aegis etc.) cannot physically be used to add another protective layer to 'any' offline vault file, physically on your computer. Bitwarden is identical in this regard. If someone stole your computer, and you had Bitwarden desktop installed, providing the computer was kept offline, and the thief knew your e-mail and master password, they could open your Bitwarden vault, even if you had set up 2FA on your account.
As mentioned in an earlier comment, encrypting the key file on your computer is a way to add another protective layer. In this situation, the thief would need 5 things. 1 - To know your Enpass e-mail, 2 - master password, 3 - the key file location, 4 - to know that the key file was encrypted and 5 - to know the password used to encrypt the key file. Online or offline, without all that information, the Enpass vault would not open, even if they knew your e-mail and master password.
Another alternative is to store your key file on a USB stick. Without the USB, the key file would be inaccessible, making it impossible to open the vault, even with the correct e-mail and master password.
2FA as in TOTP (authenticator app) protects online access to files and information, it's not designed to protect physical files, when offline.
Stored in your personal cloud, Dropbox, OneDrive etc. your Enpass vault(s) are protected by 2FA, when enabled in your cloud account. It is purely the offline element of Enpass, that a 2FA authenticator app can't protect. For that to change, Enpass would need to be an online password manager. Which comes with a mixture of advantages, and disadvantages. The key disadvantage being, without access to the internet, or if the company's servers are down, an online-only password manager blocks you from accessing your own passwords.
I completely understand your thoughts and concerns, but in order to protect offline physical files, the approach itself needs also to be offline. Encrypting the key file or storing it externally are two such methods, and there are likely others.
Whether Enpass might consider a hybrid online approach I don't know, but for myself what I value most about Enpass is having complete control of where my vault(s) are stored, enabling 2FA, in each cloud storage location, having a secure, memorable master password and vitally being able to access critical information regardless whether I'm online or offline or whether Enpass' servers might be down.
With every password storage set up, regardless the method, it is ultimately the responsibility of the end user to protect that information. Enpass is built as an offline password manager and why it differs from others. If that approach isn't practical for you, then possibly a different online password manager might be more suitable.
- 1
-
If you have a look at this earlier post, there appears to be a current issue syncing with iCloud. As you'll read, Enpass are aware and hoping to resolve the problem.
Not ideal I know, but you could as a temporary option use a different cloud, until Enpass resolve it.
-
@Saint.
A possible workaround, to delete an entry's entire password history, is to create a duplicate entry, then delete the original. The created duplicate will start with a blank password history. Just be aware, any file attachments, for that entry, will need to be added back in.
The above link in Abhishek Dewan's post, see here, explains how to view the password history, in each app, including Android.
As an alternative to your suggestion of an icon, if an entry showed the date of the last password change, alongside the last modified and created dates, you'd know when its password was changed. If the changed date was different to the created date, you'd also know the entry had a password history, saving you having to look in the password history menu.
Separate from that, I agree it would be helpful if the password history was editable.
- 1
-
@fadi Just furthering Steve Hansen's comment on Bitwarden. 2FA within Bitwarden, protects purely logging into your online account and database. If you also use Bitwarden's desktop software, the vault file, physically on your computer, is not and cannot be protected via 2FA (TOTP). Only using Bitwarden completely online, (no desktop software or local file), does 2FA, add a layer of protection, to your vault.
-
As mentioned by Steve Hansen, it's technically not possible to use 2FA (as in TOTP authentication), to secure an encrypted vault, physically stored on your computer.
However, if you are concerned about your computer, Enpass vault and master password, falling into the wrong hands, it's possible to add another layer of security, a second factor if you will, to your vault.
Add Enpass's key file to your vault, as normal, then use an encryption tool, to encrypt the key file. If Enpass can't find/read the key file, the vault won't open even with the master password.
Encryption could be as basic as a password-protected zip, but a more robust set up is via Cryptomator. Create a Cryptomator vault (folder) on your computer, choose an appropriate password, unlock the Cryptomator vault and place your Enpass key file inside the revealed folder. Open Enpass and point it to the new key file location.
Cryptomator can be set to a timeout (locking all vaults), or remain open until the computer is shut down. Simply turning your computer off would lock the Cryptomator vault and re-encrypt the key file. On starting the computer, you and or a potential thief, would need, your Enpass master password, and your Cryptomator password, for that vault, to open/decrypt your Enpass vault. Removing the hard drive from your computer wouldn't change anything, it would actually better hide the key file, as it can only be revealed through the Cryptomator app!
I've not tested this approach on a mobile phone, but Cryptomator do also have a mobile version of their software. Cryptomator's desktop software is free and open source.
In a perfect world, the Enpass desktop software and mobile app would themselves provide the means of encrypting/securing the key file, but the approach I've suggested could be used as of today.
-
Hi flyingbirds
I sync my main vault with one cloud, via the Enpass app, and the auto-generated backup files to a second cloud simply by syncing a custom backup folder.
You mentioned you're using filen. As I understand, filen's desktop sync client is being updated to permit the syncing of custom folders. You will then be able to set up your chosen Enpass backup folder as a dedicated filen sync folder.
An encrypted backup vault file, together with e-mail, master password and (key file if used), will allow you to restore your vault if your original vault file isn't available. You import the backup file, when setting up Enpass as a new installation.
- 1
-
I noted a similar question was asked back in 2019, so I thought I'd ask in 2022!
Android 12 – Enpass app version 6.8.2.666
Having used various login methods on Android, I find Enpass’ keyboard to be about the most consistent. However, haptic feedback is a strong buzzer that can't be altered. Only by disabling haptic feedback globally, can you stop the keyboard buzzing, as the app overrides the phone's own level controls
I’d welcome an updated Enpass Android keyboard, with both control over feedback and a more modern design.
The FOSS keyboard, OpenBoard, could be an excellent platform for a revised Enpass keyboard. Button design, layout, size and colour are all configurable, it even includes its own clipboard viewer. If this was controlled by Enpass, a user could more easily copy and paste additional items, simplifying form filling, with Enpass clearing the clipboard, as it currently does, after a specified time.
Thank you for taking the time to read this and for Enpass’ continued development.
-
Ivarson - Thank you for your comment. Yes, as you say, there are various advantages to both approaches. The reason I thought one-way, could be more viable, is it wouldn't necessarily require any syncing, as entries are purely shared with multiple vaults. The other advantage of one-way is in a family set-up, it would ensure there can only be one version of a particular entry, while still allowing secondary vaults to create and control their own unique entries.
The absolute ideal would be to also have a master list, collating every entry from every vault, giving the account owner an overview of the entire system.
Anyway, thanks for your thoughts and here's hoping.
- 1
-
The ability to create multiple vaults is extremely useful, but maintaining identical entries, across several vaults, is time-consuming and or prone to error.
As a feature consideration, if every entry copied from the Primary vault, to a secondary vault, could be internally linked, any update made to that entry would automatically update the matching entry in all other vaults.
The most flexible, would be two-way syncing where an entry can be updated via any vault, Primary or Secondary. But possibly a more stable approach, would be to treat the Primary vault as the master, so only when an entry is updated via the Primary vault, would it then synchronize that change with the other vaults.
With this one-way master vault approach, an entry copied to a secondary vault could be linked or independent. A linked entry would become read only, while an independent entry would be read and write. This would ensure the Primary vault maintained full control over its own updates, while allowing secondary vaults, full control over entries unique to that specific vault.
Every linked entry, copied from the Primary vault, would remain part of the Primary vault, not a separate entry. It's a bit like saying, please allow these Primary vault entries to also appear in these secondary vaults. Such a setup would follow Enpass's offline design, with synchronization being within the app itself, and it would also ensure audits were consistent between the different vaults.
I hope I’ve explained this reasonably clearly. Enpass is a really powerful tool and with the increasing number of devices and users, within each account, the ability to maintain control becomes even more important.
Thank you, once again, for Enpass’ continued development.
- 1
-
flyingbirds - I wasn't replying to your entire post, just to a question you asked. breach/compromised what's the difference?
A breach is where hackers have gained access to a database or similar of a website where you hold an account. So your specific details might not have been compromised, but the website itself was, and there's a risk your details were also stolen.
A compromised password is a password known to have been obtained by hackers in a website breach. The password might not have been stolen from your account, it could have been an identical password used elsewhere by someone else. The simpler the password, the greater the chance of that being the case.
For both a website breach and a compromised password, the recommendation is to change the affected password to ensure the login details, if stolen, are no longer usable.
Personally, I'd also recommend changing the e-mail. Once an e-mail is part of a stolen database, spam/malicious e-mails are more likely. Also, part of any log in using that e-mail is now known to hackers.
- 2
-
Increasingly, web accounts are setting minimum periods of inactivity (often as little as 3 months) before an account is considered abandoned and marked for closure. It would be helpful if Enpass allowed a user to add calendar reminders, for each entry. The existing password expiry period feature is useful, and being able to add more general reminders, with a note, would ensure a user never overlooked infrequently used accounts. Setting specific dates would be the most effective, but using the same approach as the password expiry feature would also be helpful.
Thank you for Enpass' continued development
-
Hello Mohit
Thank you for your very thorough reply. I reinstalled 6.8.0 late yesterday, and the rotating blue symbol appeared over the Compromised passwords button. This morning, on opening the app, the button has reverted to show 0 as normal.
It would seem an initial auto-check either takes far longer than a manual check, or some other checks are taking place, but the app is currently stable and operational, so I will test further.
Thank you for considering the feature requests. I look forward to future updates.
- 1
-
Hello Mohit
Thank you for replying.
In point 1, when you say ‘pending’, do you mean simply items that have not yet been checked against HIBP's database?
In point 2, when an item is added or updated is the auto-check of the entire vault or only for the item(s) added/updated? I.e. does the Enpass app, mark an item as ‘checked’ against the current HIBP database?
In point 3, how is the Enpass app notified of a HIBP database update? Is the Enpass app requesting that information direct from HIBP, or is the new database stored on your servers, and you tell the Enpass app that an HIBP update has occurred, and the app needs to run a new full vault check?
In reply to the issues I faced with 6.8.0, can I ask, when an item is added or modified, and auto-check is enabled, is there supposed to be any visual indication of an HIBP check taking place? Or is the check silent?
An HIBP check of a single item takes a matter of seconds, so if the check is ‘silent’, it would behave as I experienced. Only if a password was found to be compromised would a user know a check had taken place. If the check is silent, it would be helpful if the Compromised window of the Audit section gave the date and time of the most recent HIBP checks. That way, a user would know, their password checks were up-to-date.
If you could let me know whether the check is supposed to be silent, and if it is, I will reinstall 6.8.0 and run further tests.
Thank you once again
-
Mohit and team thank you for the update, it's always appreciated.
Can you please clarify what happens with the Automatic Compromised Password Check, because there is now no option to manually check the entire vault with a single button press?
On installing 6.8.0, I enabled auto check and the Compromised button showed a continuous rotating symbol, but no progress. After leaving it for 5 minutes, the symbol was still rotating. I unticked the auto check option, shut down then restarted Enpass and the Compromised button showed 0 as normal, but on reviewing the Compromised window of the Audit section, there was no option to manually check all passwords. As a final check, I re-enabled auto check, modified a password entry, saved it, but the app gave no indication any auto check had taken place.
A few questions if I may
1 - Is an auto check, only checking the HIBP database when a new/modified entry is updated?
2 - Does auto check, check the entire vault, or just the new/modified entry?
3 - Is it correct that the option to manually check all passwords has been removed?
If the answers to the first and third questions are yes, this would mean with 6.8.0 a user needs to modify/create an entry to recheck all passwords against the HIBP database, rather than simply pressing the Re-check All button. If, however, an auto check only checks new or modified items, a user must now manually check each individual entry, to check the entire vault
4 - Can you consider, automating vault password checks as, either every time the app is started, or at specific scheduled intervals? This type of automated checking would ensure the Audit was always up-to-date without any user input. Either option would work best in conjunction with the existing manual Re-Check All option.
I've currently reinstalled 6.7.4 (933) as the password changes in 6.8.0, make it less usable.
I've just noticed your post was in relation to the Windows Store version. My desktop version offered 6.8.0 as a Beta update, which is the one I installed. Do let me know if I should repost this question in that section.
Thank you in advance for any information you can provide.
-
DenalB, you could also use Tags. Both as a visual identifier, and as a means of further sorting items within the same category. I use tags all the time.
- 1
-
Hello Manish
Thank you for responding. The Grammarly software is called Grammarly for Windows, version 1.0.2.130. It's a self-contained desktop application and works without the need for a browser extension. It can be found here, Grammarly for Windows
Thanks once again.
- 1
-
Not sure if you were aware, but Grammarly for Windows, a replacement for their desktop editor, is an app that detects and corrects text entries in almost any application. On trying the app, I discovered that entering text into the Enpass desktop software 6.7.4 (935) and browser extension (6.7.4) was detected by Grammarly!
While the text I entered into Enpass did not appear in the Grammarly app it certainly recognized I was (A) using an app and (B) was entering text. The unknown is whether the text entered is still registered by Grammarly (i.e. sent to their servers), and simply not displayed, or whether it truly can't 'see' what I'm typing. While a user can manually prevent Grammarly from working with specific apps, that's not its default.
To test if other password manager software was also detected, I tried Bitwarden's desktop software, and found entering text did not trigger the Grammarly app. So I'm unsure whether that is purely 'luck', or something Bitwarden has employed in their software. There are other apps I've found that Grammarly doesn't detect, so it's more likely just luck, that Bitwarden isn't detected.
I bring this to your attention, so you're aware of a potential security issue raised by anyone considering installing the Grammarly app alongside Enpass. I don't know whether there is anything that can be done, but if you were able to clarify the situation directly with Grammarly, that would be immensely helpful.
Thank you.
- 1
-
Hello Gulshan - Thank you for taking the time to reply.
Just to clarify, I do understand the cloud is purely the storage medium and not involved in any encryption process, and why my suggestion was that the Enpass app folder, the vault and attachment files be randomly named, before being uploaded to the cloud.
As you say, if a hacker gets access to the files, they would still require the master password. My thought is, if a hacker had no idea what the files were, in the first place, they are far more likely to be discarded or ignored. Currently, an Enpass app folder stands out, and its name tells the hacker the software used to create the files inside, making it more of a target.
Thanks for your time.
- 2
-
Could Enpass consider modifying the names of the App folder and enpasssync and enpassattach files stored inside a user’s chosen cloud-stored folder?
Although the files are encrypted, if a user’s Google, OneDrive etc. cloud account was hacked, an Enpass app folder containing an Enpass vault and attachments, does make it a more obvious target for hackers, than if the folder and files were given more obscure names. Currently, the folder and file names make it obvious which app was used to create the files.
My suggestion is not about additional encryption, but purely a ‘masking’ of the folder and file names to better hide them, if a user’s cloud account was hacked.
Thank you.
-
Hello Gulshan Thank you for replying.
I was aware of, and use, the PIN feature in Enpass. My suggestion was that, if a user could set the option of needing to enter their Enpass PIN, before an attachment was deleted, it would prevent attachments being accidentally deleted.
So my suggested sequence would be, press X, enter PIN, press ok, attachment would then be deleted.
Thanks Again
- 1
-
Windows 10 Pro 21H1 - Enpass 6.7.4.919 and 6.7.2.885
When adding or removing attachments, the desktop app doesn't update an entry's last modified date.
I'm not sure whether this was intentional, or simply a bug.
Also, as a related feature request, it would be helpful if Enpass could provide a confirmation request before deleting an attachment. Currently, pressing the X instantly deletes the attachment without warning. For additional security, the option to request the master password or more usefully the PIN, if set, would also be good.
Thank you
-
Hi Gulshan
Thanks for your comment. I'm a donut for overlooking that!
Is the autofill of the 2FA code at a fixed time delay, for every entry, or is Enpass analyzing the page to check when the 2FA window is shown? I wasn't sure if it was working 'blind' so to speak, or if it actually knew when the 2FA window appeared.
Thanks once again.
- 1
-
Windows 10 Pro 21H1 - Enpass Desktop 6.7.2 (885) - Browser Extensions (Brave & Edge) 6.6.2
When logging in to AnonAddy the 2FA entry is left blank by Enpass, I need to manually copy and paste the 2FA code. The code is correct, but Enpass won't automatically enter the 2FA code. I have enabled both upper Autofill options including Automatically copy and fill one-time code after autofill
2FA code entry works correctly on numerous other websites, but just not AnonAddy for some reason.
As a thought, where there are such issues, a feature that would help would be a 2FA button in the browser extension. So rather than having to open the entry and then copy and paste the code, you could simply click a 2FA button and Enpass would paste in the 2FA code. The browser extension has copy username, password and URL as right-click options but not 2FA. But a dedicated 2FA button would be easier and quicker.
Thank you for the continued development of Enpass.
- 1
Please add 2FA to enpass vaults
in Feature requests
Posted
@Fadi Try using Bitwarden offline, to see its impact. That's the fundamental difference between Enpass as offline, and Bitwarden as online password managers.
There are 2FA setups, such as AuthLite, that work offline but, they're designed around connecting to a business domain, not one piece of software on a computer.
As mentioned, with Bitwarden's desktop software, if a computer is kept offline and the local vault locked, even with 2FA enabled, offline access only requires the password. However, if you log out of that vault, it can now only be unlocked, online, which means the physical vault on your computer, needs access to Bitwarden's servers, for the required authentication. I.e. if Bitwarden's servers are down, you won't be able to get to your passwords.
I don't speak for Enpass, but for it to remain a truly offline solution, everything, including additional security layers, must also be offline, otherwise, the end user is no longer in total control of their own password vault.
A simple example of that is adding and editing vault entries offline, a task that is second nature to Enpass, Bitwarden's desktop software, offline, is purely a viewer, they're still working on offline editing.
There is no right or wrong approach, it's a matter of what works for you, but it's important to understand the pros and cons of both approaches.