Jump to content

Vinod Kumar

Enpass team member
  • Content count

  • Joined

  • Last visited

  • Days Won


Vinod Kumar last won the day on April 26

Vinod Kumar had the most liked content!

Community Reputation

36 Excellent

About Vinod Kumar

  • Rank
    Advanced Member
  1. Security concern

    Hi @MatMaul There is nothing like annoying in your queries. This is the purpose of discussion forums and we really appreciate your presence here. And many thanks for choosing Enpass and showing your trust. Security is an ongoing process and you shall definitely see improvements in next major release. Let me attach here the answer from SQLCipher author himself. It should make things clear.
  2. Hi @rauppe31, This issue is related to the Qt framework bug which has not been resolved yet. We tried to hardcode the environment variable, but it keeps on causing sync related issues on some of our test systems. We prefer to wait until the upstream bug has been fixed. However, next major release, Enpass 6 will not use Qt network APIs and will not have this bug. We are sorry that you have to live with manual workaround for a while.
  3. Elmsoft Enpass

    Hi @fmfm, Enpass uses SQLCipher (open-source and peer-reviewed cryptography engine) with 24000 rounds of PBKDF2-HMAC-SHA1. In context of PBKDF2 or HMAC, SHA1 is still quite suitable from a security standpoint. We have already increased the number of iterations with improved algorithm, and we will implement these changes in production stream from next major release 6. And finally as concluded in their post https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/ , choice of strong master password is the most important factor guarding your data. Cheers
  4. How to disable pulseaudio?

    Hi @vsq, You won't be able to run Enpass without pulse audio installed. We don't have a command line flag for disabling it. Though this library is installed by default with almost every Linux desktop system, but you have a unique situation here. Please install relevant pulseaudio package on the target system and try again. Cheers
  5. data.xml - PLAINTEXT PASSWORD

    Hello Andre! Thank you for reporting the vulnerability and co-operating with us throughout the fixing process. Well, the vulnerability has been fixed and the updated version 5.5.3 has been rolled out on June 12, 2017. More details here- https://www.enpass.io/blog/an-update-on-the-reported-vulnerability-of-enpass-for-android/ Also, it's a request to every Enpassian who's using the version 5.4.6 to 5.5.2 in Android to please update the app to the latest version 5.5.3 immediately. Cheers!
  6. jakarta httpclient 3.1

    Hi @lucas , Can't provide an ETA. The library shouldn't create a problem as webdav specs are not changed after its depreciation. The problem can be due to many other reasons including server implementation of Webdav. Please try webdav sync in desktop version of Enpass. Also if possible, can you provide us a demo account?
  7. Windows Hello on Windows Desktop

    Hi @Arthur Rump, Thanks for providing really helpful pointers. We will be including Windows Hello support in next major version.
  8. jakarta httpclient 3.1

    Hi @lucas, Yes, we are moving to another webdav implementation (c++ libcurl based) in next major version.
  9. Increase PBKDF Iterations...

    Hi @lucas, I think you are pointing towards the recent SHA-1 collision attack. PBKDF2 in SQLCipher use HMAC-SHA1 and it is still secure. Both are not quite the same thing.
  10. Can someone spoof a login?

    Hi @ctrl_alt_pasta, What @Ivarson said is certainly right. Enpass doesn't do any security validation for you. Your browser is equipped with the best tools to do any security validations about identity of host. Constant updates are provided to guard against spoofing attacks like address bar spoofing. So, one should always pay attention to browser address bar warnings for broken or invalid certificates. However before autofilling, Enpass always match the domain name for saved items and shows only relevant items. This protects you against phishing attacks with look-alike domains.
  11. Increase PBKDF Iterations...

    Sqlcipher has api 'PRAGMA kdf_iter' to configure number of iterations for needed.
  12. Hi @Unsay, The refactoring process has been started as per plan with new vault architecture that can support multiple vaults and many requested features that were not possible with older architecture. Side-by-side, we have fixed a lot of pending bugs for upcoming update which is main cause of slow release cycle as of now. We have also done a feasibility test for a separate core headless app, but as we use Qt in many places in the core part also, it is still going to load Qt libraries at startup and hence no improvement in startup impact. So, we still continue to use our current model (core and UI in same app). However we are finding ways to reduce startup impact as per Microsoft guidelines https://msdn.microsoft.com/windows/compatibility/startup-apps. Thanks
  13. OwnCloud/NextCloud Application

    @yce Transferring your master password or a derived key to server is a very bad idea (which is required in case of sqlcipher for php). It is best to do any encryption/decryption related stuff in a native app. If that is not a choice, next best would be to encrypt/decrypt on client side with javascript. User can be authenticated with server without sending master password using Secure Remote Password like protocol and encrypted data can be fetched from server and decrypt it in javascript.
  14. Issues with Android app

    Hi @rerx and @gaetawoo, Thanks for writing in. We do confirm the bug in the password field. It got introduced in a version which allowed to see passwords by tapping on eye button while editing. Our tests runs use standard Google Keyboard and so the issue was not spotted earlier. We have fixed this issue and will release an update soon. As I mentioned earlier, the current Fingerprint implementation in Android is a very secure. Though in iOS we switch to Master password after three wrong attempts from Touch ID but security wise no such requirement arises in Android. A person having possession of your fake fingerprint can unlock your phone and can do lot of nasty things (including get into Enpass in first attempt after unlocking device with that). If one is super sensitive about this, he should not turn on Fingerprint from Enpass (which is by default, off). We always consider you valuable suggestions, which is why Enpass reached so far. We will consider to implement your suggestion for Fingerprint disable as an optional setting in future. Cheers,
  15. Wrong DPI scale since Enpass 5.2

    Hi @cimm, Glad it works for you. To set these environment variables automatically at login, please add them to $HOME/.profile export QT_AUTO_SCREEN_SCALE_FACTOR=1 export QT_SCREEN_SCALE_FACTORS=0.5 Cheers