Jump to content

My1

Members
  • Content Count

    87
  • Joined

  • Last visited

  • Days Won

    3

Everything posted by My1

  1. My1

    Security audit

    you need to read my message entirely, and in the context of enpass being an offline-first password manager. for access to data online 2FA is totally useful and awesome, but if you have the data already like your enpass vault on your computer, TOTP and the likes cannot add to the encryption due to the dynamic nature of the codes. you would need something like a smartcard with encryption keys for proper 2FA on offline data. a code that is dependent on the time like on TOTP, or dependent on several factors on U2F cannot be used to add encryption since you cant get that same code/data later on to add that to decryption. sorry for posting a link to my blog but I explained this in depth over there: https://blog.my1.dev/steganos-privacy-suite-19-is-a-joke TOTP and many other dynamic code formats can literally only be used to allow or deny access to something, however when the data is already sitting there, just encrypted, there's nothing you can allow or deny, as you could just either hotwire the checks in RAM to skip that part or decrypt the wallet yourself outside the password manager
  2. My1

    Security audit

    I wouldnt even say no requirement but most common 2FA used in the web (TOTP, SMS, U2F) would be pure snakeoil as they couldnt contribute to the encryption in any way
  3. you have to say you already have got it and confirm your email address to access the pro ver
  4. couldnt you just use "sign in with apple" and the rest would happen automatically? same as what is possible with google?
  5. they dont ask you to pay again, in fact even people like me who could get the android version for free get full access now on all platforms: basically you just say already registered, sign in, click sign in with google and boom.
  6. in fact, read the email: it says clearly that the code is valid for 5 mins.
  7. well enpass does have a (granted, more expensive if you use less platforms) one time purchase though I mean even though they say and probably do (didnt try yet) make the desktop versions fully featured fully free, you basically pay as if you would buy for all 5 platforms (win, mac, lin, ios, droid)
  8. sure but the reverse isnt true. you cannot install the W10 version (which is the only that can get premium) on WIn7 or 8.
  9. is there a reason why you make the premium features only available on the store version?
  10. well that winstore and win32 are split is understandable because as enpass said they cant access the store stuff from the win32. but maybe the win32 should just get win-hello and stuff, so no winstore is needed for premium and one can instead use the traditional for everything.
  11. @Vinod Kumar why is there no option to buy the normal enpass version? windows <10 users so cannot get premium at all which obviously sux and not everyone likes giving anything into the hands of MS.
  12. My1

    Security audit

    that is intresting and thanks for that also toor thanks for all the other info in this long post. awesome.
  13. My1

    Security audit

    What new pricing model? Did they start using subscriptions or what? I would guess that especially this part stands out a lot:
  14. My1

    Security audit

    true enough, but do mind that when you "only" have about a month and a hacker may go on for YEARS obviously they can potentially find more vulnerabilities and whatnot. and new attack vectors can come all the time but that may not even be the fault of enpass but the underlying OS or whatever as well.
  15. My1

    Security audit

    true enough. although I wouldnt have expected that Sodium gets droppen in v6.
  16. My1

    Security audit

    as I am HEAVILY against W10 I can assure you that I dont have the store version. These are the folder views for enpass 5 and 6 respectively with no sodium to be found.
  17. My1

    Security audit

    btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?
  18. My1

    Security audit

    well finally we have some visible progress. the Beta of EP6 started, so now we have something to work with.
  19. My1

    Security audit

    @rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point. Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.
  20. My1

    Security audit

    okay, well I am not from the US and therefore essentially both LP and Enpass are alien companies for that matter. one of the best things about enpass is that they make it easy to not need to trust them. their database is in a relatively open format and I can choose where to store, or even do the sync myself while letting enpass itself not even touch the internet with a "10 foot pole" as you americans tend to say (I'd rather say ten meter, but that's another story). meaning I could essentially pseudo-aigap Enpass and let for example the Nextcloud client do the sync of everything, which makes it impossible for Enpass to doanything crazy in regards to move data somewhere where it doesnt belong or whatever. regarding seeing your replies, I have an email notif, but even if I hadnt, usually when an account is removed the posts dont vanish and it will mostly remove your picture and other data and say deleted user instead of your username.
  21. @ChaosNo1 The security of the data depends on mainly 2 things: access to the database file Encryption of the database and let me tell you one thing first regarding 2FA: 2FA only restricts the access to the file, if they can access that some other way your 2FA gets useless, so you can use it to get a bit more extra security (I do so as well) but important: DONT RELY ON IT. Regarding online Managers, they more than often enough allow for caching the database locally so there is usually also a local copy lying around for those making the only real difference between Enpass and online managers that with Enpass YOU CAN CHOOSE where to store your database. it doesnt have to be your NAS, any cloud provider would also do, and while some may not like the fact that cloud providers have the database, there's another big difference between a database stored in the classic cloud and an online manager. THE SEPERATION OF APPLICATION AND STORAGE. nothing can really prevent a maker of password manager being forced by their government to implement code to get your passwords, but the thing is that when you have the data at some place which is not by the maker they now have a problem because with a strict firewall a sync will only occur to the place you selected, making it harder for them to get anything, and that even more so when you use your own storage.
  22. My1

    Security audit

    has Lastpass been Audited? also Lastpass obviously has the problem that they have your data. also the way LP stores the data is apparently relatively open and based on standards so people can try to check that for themselves.
  23. My1

    Security audit

    the UI I saw was more like this: and reminds me more of keepass. and having a list of categories on the left and on the middle the list of entries and the content on the right (or bottom) isnt really creative, this is a similar thing as what mail clients can do for eternities, and this basic idea which makes sense, it's not really a wonder they look similar.
  24. My1

    Security audit

    no 1pw is not open source as far as i remember. also I have no exact idea when 1pw6 was released but the version before had a drastically different UI.
  25. the only sane way to to 2FA, if any, and that's only if that would work with crypto and smart cards. they can do fancy stuff like signing and therefore decryption might be possible.
×
×
  • Create New...