Jump to content
Enpass Discussion Forum

Thoughts?

Members
  • Posts

    48
  • Joined

  • Last visited

  • Days Won

    7

Posts posted by Thoughts?

  1. Hi flyingbirds

    I sync my main vault with one cloud, via the Enpass app, and the auto-generated backup files to a second cloud simply by syncing a custom backup folder.

    You mentioned you're using filen. As I understand, filen's desktop sync client is being updated to permit the syncing of custom folders. You will then be able to set up your chosen Enpass backup folder as a dedicated filen sync folder. 

    An encrypted backup vault file, together with e-mail, master password and (key file if used), will allow you to restore your vault if your original vault file isn't available. You import the backup file, when setting up Enpass as a new installation.

    • Like 1
  2. I noted a similar question was asked back in 2019, so I thought I'd ask in 2022!

    Android 12 – Enpass app version 6.8.2.666

    Having used various login methods on Android, I find Enpass’ keyboard to be about the most consistent. However, haptic feedback is a strong buzzer that can't be altered. Only by disabling haptic feedback globally, can you stop the keyboard buzzing, as the app overrides the phone's own level controls

    I’d welcome an updated Enpass Android keyboard, with both control over feedback and a more modern design. 

    The FOSS keyboard, OpenBoard, could be an excellent platform for a revised Enpass keyboard. Button design, layout, size and colour are all configurable, it even includes its own clipboard viewer. If this was controlled by Enpass, a user could more easily copy and paste additional items, simplifying form filling, with Enpass clearing the clipboard, as it currently does, after a specified time.

    Thank you for taking the time to read this and for Enpass’ continued development.

  3. Ivarson - Thank you for your comment. Yes, as you say, there are various advantages to both approaches. The reason I thought one-way, could be more viable, is it wouldn't necessarily require any syncing, as entries are purely shared with multiple vaults. The other advantage of one-way is in a family set-up, it would ensure there can only be one version of a particular entry, while still allowing secondary vaults to create and control their own unique entries.

    The absolute ideal would be to also have a master list, collating every entry from every vault, giving the account owner an overview of the entire system.

    Anyway, thanks for your thoughts and here's hoping.

     

    • Like 1
  4. The ability to create multiple vaults is extremely useful, but maintaining identical entries, across several vaults, is time-consuming and or prone to error.

    As a feature consideration, if every entry copied from the Primary vault, to a secondary vault, could be internally linked, any update made to that entry would automatically update the matching entry in all other vaults.

    The most flexible, would be two-way syncing where an entry can be updated via any vault, Primary or Secondary. But possibly a more stable approach, would be to treat the Primary vault as the master, so only when an entry is updated via the Primary vault, would it then synchronize that change with the other vaults.

    With this one-way master vault approach, an entry copied to a secondary vault could be linked or independent. A linked entry would become read only, while an independent entry would be read and write. This would ensure the Primary vault maintained full control over its own updates, while allowing secondary vaults, full control over entries unique to that specific vault.

    Every linked entry, copied from the Primary vault, would remain part of the Primary vault, not a separate entry. It's a bit like saying, please allow these Primary vault entries to also appear in these secondary vaults. Such a setup would follow Enpass's offline design, with synchronization being within the app itself, and it would also ensure audits were consistent between the different vaults.

    I hope I’ve explained this reasonably clearly. Enpass is a really powerful tool and with the increasing number of devices and users, within each account, the ability to maintain control becomes even more important. 

    Thank you, once again, for Enpass’ continued development.

    • Like 1
  5. flyingbirds - I wasn't replying to your entire post, just to a question you asked. breach/compromised what's the difference?

    A breach is where hackers have gained access to a database or similar of a website where you hold an account. So your specific details might not have been compromised, but the website itself was, and there's a risk your details were also stolen. 

    A compromised password is a password known to have been obtained by hackers in a website breach. The password might not have been stolen from your account, it could have been an identical password used elsewhere by someone else. The simpler the password, the greater the chance of that being the case.

    For both a website breach and a compromised password, the recommendation is to change the affected password to ensure the login details, if stolen, are no longer usable. 

    Personally, I'd also recommend changing the e-mail. Once an e-mail is part of a stolen database, spam/malicious e-mails are more likely. Also, part of any log in using that e-mail is now known to hackers. 

    • Thanks 2
  6. Increasingly, web accounts are setting minimum periods of inactivity (often as little as 3 months) before an account is considered abandoned and marked for closure. It would be helpful if Enpass allowed a user to add calendar reminders, for each entry. The existing password expiry period feature is useful, and being able to add more general reminders, with a note, would ensure a user never overlooked infrequently used accounts. Setting specific dates would be the most effective, but using the same approach as the password expiry feature would also be helpful.

    Thank you for Enpass' continued development

     

  7. Hello Mohit

    Thank you for your very thorough reply. I reinstalled 6.8.0 late yesterday, and the rotating blue symbol appeared over the Compromised passwords button. This morning, on opening the app, the button has reverted to show 0 as normal.

    It would seem an initial auto-check either takes far longer than a manual check, or some other checks are taking place, but the app is currently stable and operational, so I will test further. 

    Thank you for considering the feature requests. I look forward to future updates.

     

    • Like 1
  8. Hello Mohit 

    Thank you for replying.

    In point 1, when you say ‘pending’, do you mean simply items that have not yet been checked against HIBP's database?

    In point 2, when an item is added or updated is the auto-check of the entire vault or only for the item(s) added/updated? I.e. does the Enpass app, mark an item as ‘checked’ against the current HIBP database?

    In point 3, how is the Enpass app notified of a HIBP database update? Is the Enpass app requesting that information direct from HIBP, or is the new database stored on your servers, and you tell the Enpass app that an HIBP update has occurred, and the app needs to run a new full vault check?

    In reply to the issues I faced with 6.8.0, can I ask, when an item is added or modified, and auto-check is enabled, is there supposed to be any visual indication of an HIBP check taking place? Or is the check silent?

    An HIBP check of a single item takes a matter of seconds, so if the check is ‘silent’, it would behave as I experienced. Only if a password was found to be compromised would a user know a check had taken place. If the check is silent, it would be helpful if the Compromised window of the Audit section gave the date and time of the most recent HIBP checks. That way, a user would know, their password checks were up-to-date.

    If you could let me know whether the check is supposed to be silent, and if it is, I will reinstall 6.8.0 and run further tests.

    Thank you once again

  9. Mohit and team thank you for the update, it's always appreciated.

    Can you please clarify what happens with the Automatic Compromised Password Check, because there is now no option to manually check the entire vault with a single button press?

    On installing 6.8.0, I enabled auto check and the Compromised button showed a continuous rotating symbol, but no progress. After leaving it for 5 minutes, the symbol was still rotating. I unticked the auto check option, shut down then restarted Enpass and the Compromised button showed 0 as normal, but on reviewing the Compromised window of the Audit section, there was no option to manually check all passwords. As a final check, I re-enabled auto check, modified a password entry, saved it, but the app gave no indication any auto check had taken place. 

    A few questions if I may  

    1 - Is an auto check, only checking the HIBP database when a new/modified entry is updated?

    2 - Does auto check, check the entire vault, or just the new/modified entry?

    3 - Is it correct that the option to manually check all passwords has been removed?

    If the answers to the first and third questions are yes, this would mean with 6.8.0 a user needs to modify/create an entry to recheck all passwords against the HIBP database, rather than simply pressing the Re-check All button. If, however, an auto check only checks new or modified items, a user must now manually check each individual entry, to check the entire vault

    4 - Can you consider, automating vault password checks as, either every time the app is started, or at specific scheduled intervals? This type of automated checking would ensure the Audit was always up-to-date without any user input. Either option would work best in conjunction with the existing manual Re-Check All option. 

    I've currently reinstalled 6.7.4 (933) as the password changes in 6.8.0, make it less usable.

    I've just noticed your post was in relation to the Windows Store version. My desktop version offered 6.8.0 as a Beta update, which is the one I installed. Do let me know if I should repost this question in that section. 

    Thank you in advance for any information you can provide.

  10. Not sure if you were aware, but Grammarly for Windows, a replacement for their desktop editor, is an app that detects and corrects text entries in almost any application. On trying the app, I discovered that entering text into the Enpass desktop software 6.7.4 (935) and browser extension (6.7.4) was detected by Grammarly!

    While the text I entered into Enpass did not appear in the Grammarly app it certainly recognized I was (A) using an app and (B) was entering text. The unknown is whether the text entered is still registered by Grammarly (i.e. sent to their servers), and simply not displayed, or whether it truly can't 'see' what I'm typing. While a user can manually prevent Grammarly from working with specific apps, that's not its default.

    To test if other password manager software was also detected, I tried Bitwarden's desktop software, and found entering text did not trigger the Grammarly app. So I'm unsure whether that is purely 'luck', or something Bitwarden has employed in their software. There are other apps I've found that Grammarly doesn't detect, so it's more likely just luck, that Bitwarden isn't detected.

    I bring this to your attention, so you're aware of a potential security issue raised by anyone considering installing the Grammarly app alongside Enpass. I don't know whether there is anything that can be done, but if you were able to clarify the situation directly with Grammarly, that would be immensely helpful. 

    Thank you.

    • Thanks 1
  11. Hello Gulshan - Thank you for taking the time to reply. 

    Just to clarify, I do understand the cloud is purely the storage medium and not involved in any encryption process, and why my suggestion was that the Enpass app folder, the vault and attachment files be randomly named, before being uploaded to the cloud. 

    As you say, if a hacker gets access to the files, they would still require the master password. My thought is, if a hacker had no idea what the files were, in the first place, they are far more likely to be discarded or ignored. Currently, an Enpass app folder stands out, and its name tells the hacker the software used to create the files inside, making it more of a target.

    Thanks for your time.

    • Like 2
  12. Could Enpass consider modifying the names of the App folder and enpasssync and enpassattach files stored inside a user’s chosen cloud-stored folder?

    Although the files are encrypted, if a user’s Google, OneDrive etc. cloud account was hacked, an Enpass app folder containing an Enpass vault and attachments, does make it a more obvious target for hackers, than if the folder and files were given more obscure names. Currently, the folder and file names make it obvious which app was used to create the files.

    My suggestion is not about additional encryption, but purely a ‘masking’ of the folder and file names to better hide them, if a user’s cloud account was hacked.

    Thank you.

  13. Hello Gulshan Thank you for replying.

    I was aware of, and use, the PIN feature in Enpass. My suggestion was that, if a user could set the option of needing to enter their Enpass PIN, before an attachment was deleted, it would prevent attachments being accidentally deleted. 

    So my suggested sequence would be, press X, enter PIN, press ok, attachment would then be deleted.

    Thanks Again

     

    • Like 1
  14. Windows 10 Pro 21H1 - Enpass 6.7.4.919 and 6.7.2.885

    When adding or removing attachments, the desktop app doesn't update an entry's last modified date.

    I'm not sure whether this was intentional, or simply a bug.

    Also, as a related feature request, it would be helpful if Enpass could provide a confirmation request before deleting an attachment. Currently, pressing the X instantly deletes the attachment without warning. For additional security, the option to request the master password or more usefully the PIN, if set, would also be good.

    Thank you

  15. Windows 10 Pro 21H1 - Enpass Desktop 6.7.2 (885) - Browser Extensions (Brave & Edge) 6.6.2 

    When logging in to AnonAddy the 2FA entry is left blank by Enpass, I need to manually copy and paste the 2FA code. The code is correct, but Enpass won't automatically enter the 2FA code. I have enabled both upper Autofill options including Automatically copy and fill one-time code after autofill

    2FA code entry works correctly on numerous other websites, but just not AnonAddy for some reason.

    As a thought, where there are such issues, a feature that would help would be a 2FA button in the browser extension. So rather than having to open the entry and then copy and paste the code, you could simply click a 2FA button and Enpass would paste in the 2FA code. The browser extension has copy username, password and URL as right-click options but not 2FA. But a dedicated 2FA button would be easier and quicker.

    Thank you for the continued development of Enpass.

    • Like 1
  16. Hello Toronto - I don't think it's related. The only issue related to editing I'm aware of in Enpass (I use Windows) is when the app is maximized it will move the highlighted entry to the bottom of the visible list and if editing an item, it will force close the edit screen, but I can still edit any entry. Enpass are aware of that issue and have said they're working on it. 

    It would be worth posting your question in Enpass' iOS forum  as other Mac users might be able to help further. Include the exact model of Mac, iOS version and screen resolution in your post. If its screen resolution is different to your other machines, that could be a factor.

    As a thought, if the issue is specific to one computer, have you tried removing and reinstalling Enpass? You could also copy over the Enpass vault (and key, if used) from another Mac installation. You could also create a new empty vault as a test. Back up everything beforehand, and you can then revert to your current vault.

    • Like 1
    • Thanks 1
  17. Current Desktop Software 6.7.2 (885) Windows 10

    It would be helpful if entries, in the desktop software, could be sorted by their new password creation/changed dates. Minor alterations, adding a note etc., moves an item to the top of the last modified list, and it would be helpful if the list could always display in order of newest to oldest passwords. Minor changes could then be made to an entry, but the list would still sort by the age of the password.

    The password expiry feature is very useful, but ahead of each warning there isn't an indicator of password age.

    Thank you for taking the time read this and the continued development of Enpass.

    Thoughts

  18. Hello buyrsr 

    Opening your Enpass vault doesn't require (or even use) access to Enpass's servers or the internet. Install the desktop app or keep a copy of the portable version and you will always be able to open your vault. Simply ensure you keep your account e-mail, master password, and, if used, key file safe. Even if Enpass disappeared overnight you will be able to open your vault.

    Once your vault has been opened it can be exported as an unencrypted .json or .csv file and be imported into a different password manager. 

    Enpass Desktop Software

     

  19. Hello Garima

    Thank you for a very thorough reply.

    Could I just clarify this sentence "The latest one will be kept"

    Does this mean that, in my example, the password change made in the first (offline) device would be kept 'and' the note added via the second device would also be kept? So 'both' modifications made to the same website login entry (from two different devices) would be included in the newly synced vault?

    By the way, I already use the Enpass desktop app, I simply wished to clarify this aspect. 

    Thank you once again

    Regards.

     

  20. If I edited a website login via the desktop app when my computer was not connected to the internet, then someone later edited that same website login, via a different 'online' device. What would Enpass do to resolve the differences, between the vault on my computer and the vault in my cloud, when my computer was back online? 

    As the two vaults are now different, does it simply overwrite the entire vault on my computer with the newer 'cloud sync' vault (replacing the changes I made on my computer) or will it merge changes/additions if they are different? 

    E.g. If I changed a login password offline, then later, via a different online device, modified a note (for the same login), what would Enpass do?

    I'm curious how it might handle offline edits and changes made to the same logins. 

    Thank you in advance for any thoughts.

  21. Hello Pratyush

    Thank you for the update, that is excellent news.

    Two related considerations. As a fallback option for automated/scheduled checks; an option to repeat the check the next day if no internet was available at the scheduled time. Pressing the Compromised button on the new Audit panel could also be set to initiate a manual check and display the results on the next screen.

    Regards

     

    • Like 1
×
×
  • Create New...