Jump to content
Enpass Discussion Forum

Vinod Kumar

Enpass team member
  • Content Count

    497
  • Joined

  • Days Won

    36

Vinod Kumar last won the day on June 17

Vinod Kumar had the most liked content!

Community Reputation

121 Excellent

About Vinod Kumar

  • Rank
    Advanced Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi @Ivarson, Thanks for bringing this into our notice. You are right we should have provided a better warning message. Icons are not treated as sensitive data and are for UI enhancement only. Obfuscating cache filename can avoid causal guessing but will not resolve the problem completely. Also, different devices resolutions, scrolling performance issues & complex updating mechanisms are few situation where we decided to avoid storing them in the main database. This was a trade-off decision we made than. Maybe it’s the time we look for alternate strategy that satisfy all the requi
  2. Hi @UdhayanithiG, Thanks for raising the question. The short answer is NO. The article mostly discussed about autofill extension of online password managers which injects their UI/chrome into web page and interact with their server. This additional chrome can be exploited by clickjacking or exposed server endpoints can be accessed by additional scripts because they live in the same shared space i.e. the webpage. Here are few points how Enpass is immune to such attacks: 1. Enpass does inject only limited script to detect presence of forms that user may want to autofill. It does n
  3. Hi @buyrsr, I understand your concern about availability of data. You can always export data from Enpass to json format, that contains complete details of your data that can be used by a software tool. Also, Enpass uses open-source SQLCipher for database file. Enpass derives a key from the master password with PBKDF2-HMAC-SHA512 100K iterations (outside of SQLCipher) and uses it as the raw key for SQLCipher. You can find few opensource implementations to read Enpass database file on github. Thanks.
  4. Hi @Ivarson, I understand your concern, but having a setting in Enpass will not solve it. You can always restrict Enpass connectivity via a firewall. Cheers:)
  5. Hi @electrolund, I can understand the worry of our users after this incident. I would like to provide some explanation about delivery channels and tools we use: We have our own system to notify updates and distribution apart from standard app stores. All Enpass builds are automated and scanned against virustotal service to eliminate human error. App stores: Most of the Enpass installations happens through Various App stores (Apple store for macOS and iOS, Windows store and Google Play store), that does not require any third party installer. Updates are also handled by corresp
  6. Yes. That is right. To have more information you can refer to this page. Cheers :)
  7. HI @chrismin13, Thanks again for your efforts and sharing stats with us. Both issues need to be fixed from our end in the software. We will share an internal build with you soon.
  8. Hi @Fab8 Unlocking via PIN is more of a convenience feature rather than security. In case of PIN, Enpass restricts access to data through User Interface without locking down the database. After three failed attempts, the database will be closed and a master password will be required next time. Your master password does not remain in memory any time after initial unlock of database. However, running sophisticated attacks with administrative privileges are still possible. We recommend against using PIN in such environments. :)
  9. Hi all, We have identified an issue with our handling of Dropbox Api. Upstream have made some changes and Dropbox sync is broken for iOS and Mac. We are on it and will issue an update as soon as possible. Thanks for your patience.
  10. Hi @chrismin13, Thanks for your efforts to bundle Enpass for snap store. We are a short on team to handle all kind of packaging. We will give you explicit permission to redistribute our software for snap store. Please share your email id in PM. As about other bugs, issue 1 can be resolved from our side by checking a Environment variable set by snap. Browser extension connection requires permissions to require system commands like readlink/netstat/lsof and a port open on localhost. Team is investigating the issues and possible fixes. Thanks, Vinod
  11. Hi @Trendsetter, Noted. It will be implemented soon. Thanks.
  12. Hi @Trendsetter, Password strength in Enpass is calculated using zxcvbn algorithm. Calculation by this method not solely rely based on length but depends upon different kind of patterns too. An additional character introduction may not necessarily result in increased strength if it introduces a pattern match according to algorithm. Please visit following link for more info. https://www.enpass.io/docs/security-whitepaper-enpass/miscellaneous.html#password-strength-estimation https://github.com/dropbox/zxcvbn Thanks.
  13. Hi @mschuppx1, You have mistakenly stored signing verification key file in apt sources directory. Remove invalid files with these commands on terminal and run apt update thereafter: sudo rm /etc/apt/sources.list.d/enpass-linux.key sudo rm /etc/apt/sources.list.d/wget-log Cheers:)
  14. Hi all, Thanks for your inputs. Let us first have a look how biometric unlock in Enpass works, straight from our docs: The invalidation of keys is done by OS itself and there little Enpass can do. Certain custom ROMs and variants of Android OS invalidate TEE keys on reboot. On some devices you will not be able to turn on Biometeric setting in Enpass. Some ROMs also let you Enable biometrics without setting a Device PIN/Passcode first and that makes the TEE unprotected. If this the case with your device, please enable Device PIN/Passcode from device settings and share results.
×
×
  • Create New...