My1

20 minutes ago, Iliyan said:

Where do you store the print-quality PDF with scans of your passport or of other personal documents?

I would be VERY careful with passports and similar gov-issued documents, depending where you live, storing these can be illegal, especially in print-quality. and for other things like a credit card it might be that it's against the contract especially since the check number on the back is supposed to make sure that the card is "present" during the transaction.

also you can get an application that's made for storing files, like veracrypt, steganos or similar solutions.

Enpass is supposed to be a password manager and not a file safe.

Just now, Iliyan said:

I understand that everything is stored in one file, I had the same setup with KeePass. And I'm fine with this file being bounced around. As I suggested above, perhaps the user can be warned that large files can slow down syncing (and use more data). It's then the user's choice. Or, alternatively, put an "advanced" option somewhere in the settings to lift this limitation, again warning the user that doing so may impact syncing performance.

P.S. Just noticed that I can attach files to this post, with max total size 19.53MB

well true, regarding the PS, well total, meaning that it's for all posts, and as far as I know IPBoard correctly this is a shared limit among all users, meang if I would attach 19MB now, you could just attach about half an MB.

Forum aside, the intresting part is whether the 200kb limit is total or per file is something I dont know, but if it would be peer file you could archive the file into a split archive.

21 hours ago, Iliyan said:

Do you have any update on this? It's important for me (and I guess many others too) whether we will be able to attach larger files in future. Seems like an artificial limitation.

yes the limitation is artifical but reasonable, as of now, enpass stores the attachments in the same file as the password DB meaning that if you use sync, that the whole files with everything, has to be bounced around all the time as soon as anything changes. If/when they make it so the database and attachments can get split, this problem will solve itself.

On 30.3.2017 at 7:26 PM, maxdamo said:

• 3rd, it's a super-long password which cannot be broken/guessed in any way, and the few characters that you'll add won't add any security (yes, if somebody steals the key, can use it to login, but they need to steal the laptop together with they key.... let's go back to real life scenarios  )

it can be quite a real life scenario, especially with the nano-sized yubikeys.

also instead of making 2 different passwords and accept both, you could just set whatever you want as the static pass for the yubi and use that as decryption

now we are talking epic stuff.

thanks @Hemant Kumar

I think it's rather about importing from ff directly rather than ff sync.

android >=4.2 has multi user support iirc (unless the maker killed it, but it could be revived with mods)

https://github.com/steffen9000/enpass-decryptor

but why does the check fail if the browser is signed? clearly indicated by the error report.

wait a sec, dont google's guidelines Marshmallow iirc enforce the use of the Android native API for fingerprinting on devices with it?

stupid question while we are at it, can enpass sync with self-signed HTTPS webdav on all clients?

shouldnt you be able to get into the enpass upgrade dialog and upon selecting to purchase the upgrade select the account and then it should throw you back with a statement that you already bought it?

On 8.4.2016 at 11:59 AM, rk said:

Also it would be great, if there were groups, which you can assign to users and if you add a password, you can select which group has access to this password.
Additionally another field, where you can add/remove single users from accessing the password.

small reminder, this is an offline database, you can forget permissions on that. the only Idea would be a hosted server which manages those permissions

the only Problem is that if whoever has control of the server has the decryption password they can completely circumvent the permissions.

On 26.4.2016 at 5:11 AM, ev said:

I have just been searching for such a thing. Rather than seperate vaults (with seperate logins, seperate sync, etc) perhaps one vault for the company with personal folders within, each with their own password access. The user creates a folder like they current can do, with the option to add a password to this folder.

partially a good Idea but throwing out milti-vault because of this is a bad Idea. while it is helpful to say that group PWs and per-user PWs should be split, truly personal passwords should not be stored in the company DB at all.

On 1.12.2016 at 0:33 PM, xador said:

Master password of the main vault allows the use of all vaults (yes, we stay with a "1 password to remember" approach even if each vault has its own encryption key)

not a good Idea, or at least not a good default, if we have seperate vaults e.g. for coorperate and personal use or whatever there should be seperate passwords, I mean otherwise, what's the point of having multiple vaults?

kinda sad since there's quite little here with just Google Drive, icloud (Apple devices only), Dropbox and box iirc, and EVERY ONE of those is US based.

okay we have webdav but there are very few clouds that actually support it (the main I know are owncloud and nextcloud, but these are generally self-hosted)

well I made myself a box account to have my passwords as far away from anything other personal. sadly box doesnt do a standard TOTP 2 factor (well apple doesnt either) they just do SMS but well better then nothing and I prefer having my PWDB somewhere else then my general use cloud.

one of the best things newer windows versions (iirc vista and above) have is the secure desktop, where an application (usually the UAC dialog) can go into its own secure environment where nothing that doesnt have admin rights (especially your average keylogger) can spy in to see any passwords typed in, or interact with it in any way.

one feature I really would love would be allowing DB unlock on the secure desktop

I have enpass as auto start on windows and iirc it always goes quietly right into the tray.

I wonder whether this is even possible in chrome, it is fairly locked down, Firefox may have better chances although they are sadly disappearing with then essentially killing their customization features of addons.

the problem of a self-hosted web app is that it's open source, and well enpass surely isnt, but it may be possible to code something yourself. on github there is an enpass opener which could be used to open the DB and then read it somehow.

sync being a canadian company is FAR (well at least from a standpoint of law) away from all those US Cloud Services which have fairly annoying laws regarding surveillance and stuff, it would be really great to add it to the list.

although there is just one problem. if you use enpass with mobile you have the problem that most probably those cant really deal with smartcards.

the only way I see this happening is as a possible replacement for the master password with still allowing one to be set and used for mobile usage.

how about you go disable automatic sumbission and check whether anything gets filled in in the first place?

why not just check the signature and be happy in general, although a self-set trust would be epic.

but one thing I would really appreciate would be showing it in a better way. i just got the signature error once by random, all the other times it just shows a connection error with no further details as if enpass wouldnt even have been launched.

On 18.7.2016 at 7:44 AM, Anshu kumar said:

Enpass browser extension support only stable version of Opera browser

may I ask why, I mean direct support is one thing but the signature check should work, or maybe at least display that opera doesnt do beta with enpass. also I think I have used enpass with opera dev in the past

but then again iirc the UWP can do Win Hello, iirc.