My1

in fact, read the email: it says clearly that the code is valid for 5 mins.

well enpass does have a (granted, more expensive if you use less platforms) one time purchase though I mean even though they say and probably do (didnt try yet) make the desktop versions fully featured fully free, you basically pay as if you would buy for all 5 platforms (win, mac, lin, ios, droid)

sure but the reverse isnt true. you cannot install the W10 version (which is the only that can get premium) on WIn7 or 8.

is there a reason why you make the premium features only available on the store version?

well that winstore and win32 are split is understandable because as enpass said they cant access the store stuff from the win32. but maybe the win32 should just get win-hello and stuff, so no winstore is needed for premium and one can instead use the traditional for everything.

@Vinod Kumar why is there no option to buy the normal enpass version? windows <10 users so cannot get premium at all which obviously sux and not everyone likes giving anything into the hands of MS.

that is intresting and thanks for that also toor thanks for all the other info in this long post. awesome.

What new pricing model? Did they start using subscriptions or what? I would guess that especially this part stands out a lot:

true enough, but do mind that when you "only" have about a month and a hacker may go on for YEARS obviously they can potentially find more vulnerabilities and whatnot. and new attack vectors can come all the time but that may not even be the fault of enpass but the underlying OS or whatever as well.

true enough. although I wouldnt have expected that Sodium gets droppen in v6.

as I am HEAVILY against W10 I can assure you that I dont have the store version. These are the folder views for enpass 5 and 6 respectively with no sodium to be found.

btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?

well finally we have some visible progress. the Beta of EP6 started, so now we have something to work with.

@rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point. Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.

okay, well I am not from the US and therefore essentially both LP and Enpass are alien companies for that matter. one of the best things about enpass is that they make it easy to not need to trust them. their database is in a relatively open format and I can choose where to store, or even do the sync myself while letting enpass itself not even touch the internet with a "10 foot pole" as you americans tend to say (I'd rather say ten meter, but that's another story). meaning I could essentially pseudo-aigap Enpass and let for example the Nextcloud client do the sync of everything, which makes it impossible for Enpass to doanything crazy in regards to move data somewhere where it doesnt belong or whatever. regarding seeing your replies, I have an email notif, but even if I hadnt, usually when an account is removed the posts dont vanish and it will mostly remove your picture and other data and say deleted user instead of your username.

@ChaosNo1 The security of the data depends on mainly 2 things: access to the database file Encryption of the database and let me tell you one thing first regarding 2FA: 2FA only restricts the access to the file, if they can access that some other way your 2FA gets useless, so you can use it to get a bit more extra security (I do so as well) but important: DONT RELY ON IT. Regarding online Managers, they more than often enough allow for caching the database locally so there is usually also a local copy lying around for those making the only real difference between Enpass and online managers that with Enpass YOU CAN CHOOSE where to store your database. it doesnt have to be your NAS, any cloud provider would also do, and while some may not like the fact that cloud providers have the database, there's another big difference between a database stored in the classic cloud and an online manager. THE SEPERATION OF APPLICATION AND STORAGE. nothing can really prevent a maker of password manager being forced by their government to implement code to get your passwords, but the thing is that when you have the data at some place which is not by the maker they now have a problem because with a strict firewall a sync will only occur to the place you selected, making it harder for them to get anything, and that even more so when you use your own storage.

has Lastpass been Audited? also Lastpass obviously has the problem that they have your data. also the way LP stores the data is apparently relatively open and based on standards so people can try to check that for themselves.

the UI I saw was more like this: and reminds me more of keepass. and having a list of categories on the left and on the middle the list of entries and the content on the right (or bottom) isnt really creative, this is a similar thing as what mail clients can do for eternities, and this basic idea which makes sense, it's not really a wonder they look similar.

no 1pw is not open source as far as i remember. also I have no exact idea when 1pw6 was released but the version before had a drastically different UI.

the only sane way to to 2FA, if any, and that's only if that would work with crypto and smart cards. they can do fancy stuff like signing and therefore decryption might be possible.

I messed up a bit, sorry, just woke up. I mean that as soon as someone has you password database most common 2FA isnt going to stop anyone. a keyfile in contrast only adds a superlong password and a dedicated keyfile, with randomized contents is something that for example a virus or stuff could easily snoop up. in combination with the fact that enpass would be installed a virus could snatch the key file and pw database and get out, and the password could be then bruteforced. other than a real second factor, the key file can be copied a thousand times over and no one would notice.

well 2FA would work if the key file is ONLY in the cloud, as soon as someone got your keyfile through one way or another, the second factor wont matter anymore. meaning you would have to delete it after each sync. but yeah a key file is one approach but essentially just another tyype of super long password, essentually. if anything a smartcard would be the only option if that's even somehow possible to do

2 Factor CAN NOT WORK properly in an OFFLINE password manager.

well some clouds do delta uploads, but the problem is that not all clouds support that, also for delta uploads you have to make the encryption in a way that delta works because depending on the encryption algorithm, the parts that come later may be heavily influenced by what came before so changing an early attachment would instantly change pretty much everything else making delta uploads impossible

wouldnt it make more sense to split the attachments into multiple files when they get larger like into blocks of 20MB or whatever. because with just one large file which has all the attachments, it MAY get "funny"