Jump to content
Enpass Discussion Forum


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by rerx

  1. I just cross checked with the Enpass extension on Firefox 51.0.1 . In this case the issue does not appear.

    Then I tried to remove the extension from Chrome and to reinstall it there -- this does not help. The issue still appears on Chrome.

    It doesn't help either to use a blank new Chrome profile with nothing but the Enpass extension installed.

  2. Hi, 

    thanks for looking into this.

    To produce the bug I select any message in the Fastmail web interface, click 'move to', and select some folder from the dropdown menu. After I hit 'enter', an Enpass popup appears asking me whether I would like to update my login credentials to the bogus password 'PIN'.

    This is with Enpass 5.4.1, Ubuntu 14.04, and Chrome 56.0.2924.87 .

  3. Hi,

    I am a new user of Enpass -- just trying the Linux and Android versions for the first time.

    I came to the forums because I noticed two issues on Android that gaetawoo already highlighted above.

    1. SECURITY BUG: Rebooting the phone does not cause Enpass to require the Master Password to unlock the app. I can use a fingerprint. Even after fingerprint is locked out for 5 bad tries and the Master Password is then required, if I reboot the phone, I do NOT need to enter the Master password, i can use my fingerprint. That's a security risk. UPDATE: An EVEN WORSE SECURITY RISK is that if you get the fingerprint wrong 5 times, and it requires the Master Password, you can simply go to Android settings --> Apps --> Enpass and FORCE CLOSE the app, start it again and it will accept your fingerprint again. THAT'S HUGELY WRONG! This is EXACTLY why the first load of the app MUST ALWAYS require the Master Password which it DOES NOT do right now. 

    This definitely must be fixed ASAP! The fingerprint is a convenience feature, but it is much less secure than a secret like the master password. Fingerprints are quite easy to forge. If an attacker gets hold of my phone and if they are careful, they can already find a template for a fake fingerprint on the glassy surfaces of the phone. That's why Enpass should really reset to requiring the master password to be entered instead of a fingerprint after some time (like 30 minutes) has passed or after a reboot. As it stands now, one can only discourage all users from using Enpass with the fingerprint feature.

    2. SECURITY BUG: When entering Master Password on Android for the first time after installing the app (in order to sync the database), the typed characters show up on the keyboard prediction bar, which means that text entry field is NOT coded as a password field (which would not show the characters in the keyboard prediction box). It's just an obfuscated normal text. Some keyboards automatically saved typed words or entries. Or someone may be peeking and see the entire password typed out in the keyboard box even if it's obscured in the field.

    I was really surprised by this behavior. The Swype keyboard just shows character after character in clear text in its suggestion bar, while entering the master password! This usually does not happen with password entry fields. It wasn't this bad with the stock Sony Xperia keyboard on my phone.


    Please fix these security problems! Apart from these issues Enpass really looks to be the nicest cross platform solution I have seen so far.

    • Like 1
  • Create New...