rerx

As discussed previously, Enpass on Android still allows to unlock the app by fingerprint after the device (or just the app) have been restarted. It should really require the master password when unlocking for the first time. This is really important for security.

I just cross checked with the Enpass extension on Firefox 51.0.1 . In this case the issue does not appear. Then I tried to remove the extension from Chrome and to reinstall it there -- this does not help. The issue still appears on Chrome. It doesn't help either to use a blank new Chrome profile with nothing but the Enpass extension installed.

Hi, thanks for looking into this. To produce the bug I select any message in the Fastmail web interface, click 'move to', and select some folder from the dropdown menu. After I hit 'enter', an Enpass popup appears asking me whether I would like to update my login credentials to the bogus password 'PIN'. This is with Enpass 5.4.1, Ubuntu 14.04, and Chrome 56.0.2924.87 .

Precisely, it used to work fine. And it is quite annoying now. If this could be fixed on the Enpass side, I'd really appreciate it.

Using the Fastmail web interface in Chrome with the Enpass extension, a bogus login with password 'PIN' is detected by the extension (and offered to be saved) whenever I move a message to a different folder.

Hi, I am a new user of Enpass -- just trying the Linux and Android versions for the first time. I came to the forums because I noticed two issues on Android that gaetawoo already highlighted above. This definitely must be fixed ASAP! The fingerprint is a convenience feature, but it is much less secure than a secret like the master password. Fingerprints are quite easy to forge. If an attacker gets hold of my phone and if they are careful, they can already find a template for a fake fingerprint on the glassy surfaces of the phone. That's why Enpass should really reset to requiring the master password to be entered instead of a fingerprint after some time (like 30 minutes) has passed or after a reboot. As it stands now, one can only discourage all users from using Enpass with the fingerprint feature. I was really surprised by this behavior. The Swype keyboard just shows character after character in clear text in its suggestion bar, while entering the master password! This usually does not happen with password entry fields. It wasn't this bad with the stock Sony Xperia keyboard on my phone. Please fix these security problems! Apart from these issues Enpass really looks to be the nicest cross platform solution I have seen so far.