Jump to content
Enpass Discussion Forum


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by My1

  1. On 2/5/2019 at 10:15 PM, toor said:

    First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard

    that is intresting and thanks for that


    also toor thanks for all the other info in this long post. awesome.

  2. 1 hour ago, GoodbyeEnpass said:

    I am leaving Enpass due to this poor security audit and new pricing model.

    What new pricing model? Did they start using subscriptions or what? 

    1 hour ago, Vinod Kumar said:

    Please help me understand what is wrong with security audit.

    I would guess that especially this part stands out a lot:

    On 12/28/2018 at 10:19 PM, djohannes said:

    It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit


  3. 3 hours ago, djohannes said:

    Did you read your Audit? "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit of the Enpass apps and their API in scope, nor should it be thought of as a compromise it"

    "The audience of this report should be aware that a malicious actor, capable of committing extended time and with enough resources may find new attack vectors or vulnerabilities that could allow it to eventually compromise the security of the Enpass apps and their API in scope"

    true enough, but do mind that when you "only" have about a month and a hacker may go on for YEARS obviously they can potentially find more vulnerabilities and whatnot. and new attack vectors can come all the time but that may not even be the fault of enpass but the underlying OS or whatever as well.

  4. btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?

  5. @rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point.


    Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.

  6. okay, well I am not from the US and therefore essentially both LP and Enpass are alien companies for that matter. one of the best things about enpass is that they make it easy to not need to trust them. their database is in a relatively open format and I can choose where to store, or even do the sync myself while letting enpass itself not even touch the internet with a "10 foot pole" as you americans tend to say (I'd rather say ten meter, but that's another story).


    meaning I could essentially pseudo-aigap Enpass and let for example the Nextcloud client do the sync of everything, which makes it impossible for Enpass to doanything crazy in regards to move data somewhere where it doesnt belong or whatever.


    regarding seeing your replies, I have an email notif, but even if I hadnt, usually when an account is removed the posts dont vanish and it will mostly remove your picture and other data and say deleted user instead of your username.

  7. @ChaosNo1

    The security of the data depends on mainly 2 things:

    • access to the database file
    • Encryption of the database

    and let me tell you one thing first regarding 2FA:

    2FA only restricts the access to the file, if they can access that some other way your 2FA gets useless, so you can use it to get a bit more extra security (I do so as well) but important: DONT RELY ON IT.

    Regarding online Managers, they more than often enough allow for caching the database locally so there is usually also a local copy lying around for those making the only real difference between Enpass and online managers that with Enpass YOU CAN CHOOSE where to store your database. it doesnt have to be your NAS, any cloud provider would also do, and while some may not like the fact that cloud providers have the database, there's another big difference between a database stored in the classic cloud and an online manager.


    nothing can really prevent a maker of password manager being forced by their government to implement code to get your passwords, but the thing is that when you have the data at some place which is not by the maker they now have a problem because with a strict firewall a sync will only occur to the place you selected, making it harder for them to get anything, and that even more so when you use your own storage.

  8. 6 hours ago, mudfly said:

    I commented here approximately 1 year ago. Due to the silence from the developer, I am unfollowing this thread and will continue to recommend Lastpass to everyone who needs a password vault. 

    has Lastpass been Audited?

    also Lastpass obviously has the problem that they have your data. also the way LP stores the data is apparently relatively open and based on standards so people can try to check that for themselves.

  9. the UI I saw was more like this:


    and reminds me more of keepass.

    and having a list of categories on the left and on the middle the list of entries and the content on the right (or bottom) isnt really creative, this is a similar thing as what mail clients can do for eternities, and this basic idea which makes sense, it's not really a wonder they look similar.

  10. I messed up a bit, sorry, just woke up.

    I mean that as soon as someone has you password database most common 2FA isnt going to stop anyone.

    a keyfile in contrast only adds a superlong password and a dedicated keyfile, with randomized contents is something that for example a virus or stuff could easily snoop up. in combination with the fact that enpass would be installed a virus could snatch the key file and pw database and get out, and the password could be then bruteforced.

    other than a real second factor, the key file can be copied a thousand times over and no one would notice.

    • Like 1
  11. well 2FA would work if the key file is ONLY in the cloud, as soon as someone got your keyfile through one way or another, the second factor wont matter anymore.

     meaning you would have to delete it after each sync.

    but yeah a key file is one approach but essentially just another tyype of super long password, essentually.

    if anything a smartcard would be the only option if that's even somehow possible to do

  12. well some clouds do delta uploads, but the problem is that not all clouds support that, also for delta uploads you have to make the encryption in a way that delta works because depending on the encryption algorithm, the parts that come later may be heavily influenced by what came before so changing an early attachment would instantly change pretty much everything else making delta uploads impossible

  13. 55 minutes ago, Vikram Dabas said:

    where attachments [...] will be saved as a different file.

    wouldnt it make more sense to split the attachments into multiple files when they get larger like into blocks of 20MB or whatever. because with just one large file which has all the attachments, it MAY get "funny"

  • Create New...