Jump to content

Vinod Kumar

Enpass team member
  • Content Count

    480
  • Joined

  • Days Won

    26

Everything posted by Vinod Kumar

  1. Hi all, Very important discussion going on here. We had this feature once in Enpass as a mandatory setting and we remove it after backlash from users (convenience wins over security). Meanwhile, I have prioritize this feature request and it will be available as an advance option just like 1password. Cheers:)
  2. Evidence is not required in this case. Keylogging, memory reading, screenshots and video recording are very much possible for a process with root privileges. Enpass throws master password after using it but how does UI TextField handles memory internally, is outside of Enpass scope. This is an area we are dependent upon iOS security architecture. In future, we plan to use custom UI elements for text entry of master password as well just like we do it in Desktop versions.
  3. Hi @Fabian1, As stated by @Ivarson, Absolute security of an app is dependent on the OS itself. If integrity of operating system is broken and a adversary is able to run arbitrary code with root privileges, there is little Enpass can do to protect itself. However I would like to summarize, how Enpass stores its data and what happens if your use PIN or bio-metrics to unlock Enpass. All of your data is stored in a database encrypted using your master password. None of your sensitive data is decrypted and stored in any of temporary file, except when you need to export an attachment to external app. Access/oauth tokens to cloud services are also stored inside this encrypted database. So, a stolen Enpass database file is as secure as its master password. If you are using PIN to unlock Enpass or using bio-metrics on devices without secure enclave, master password is stored in the keychain in obfuscated (non-encrypted) form. In this case your master password can be obtained from keychain dump and adversary will be able to unlock your vault easily. If you are using bio-metrics to unlock Enpass on devices with (A7 and above chip), your master password is stored as encrypted data in keychain with a key stored in Secure Enclave of device. Modern iOS devices (iPhone 5s above) have Secure Enclave and encryption keys are stored in separate execution unit with its own processor and ram. As per Apple It requires a very sophisticated attack to break into Secure Enclave. I have found no reference if the attack in question can lead to compromising of Secure Enclave too. So, your master password and hence all Enpass data is secure if Secure Enclave is resistant to the attack. Cheers:)
  4. Hi @qalisto, Thanks for bringing this up. With our current portable offering, situation is no better than what has been reported in said news article. While the master password is correctly wiped but other credentials do show up in memory. Blame the old architecture and choices we have made in past. In an ideal world, we would have released portable version alongwith regular version of Enpass 6. Due to resource constraints, we were unable to do so. Good news is that, portable version has been merged with latest stable version and QA has been started. Thanks.
  5. Hi @Phylum, Sorry for the late response. Let me assert that, severity of this kind of attack is low, given the nature of the permissions, attacker requires to exploit it. This attack is only possible on a compromised system where an arbitrary process can read other process' memory and process memory protection is operating system's responsibility. A password manager or another user-space process can't defend against such attacks. However, we have taken some steps to mitigate this kind of attack. This was one of the reasons to rewrite Enpass 6 entirely with a new, robust architecture. Please check the Security Audit report where this issue appeared and resolution was provided by us (page 5). Enpass is composed of two parts, Core and UI. The Core part is entirely in C++ and we have done extensive memory sanitization there. Almost always, UI part is responsible for leaking secrets because once an item is displayed in UI, we don't have control over its internal UI buffers. We have to depend upon garbage collector of framework/language to finish the work. One possible solution is to create custom controls for everything related to password and here is what we have done in various scenarios: Master password is always scrubbed just after unlocking your database or usage on any other screen. Our custom editor control for master password input ensures this. You will almost never find a trace of master password in memory. Only the password, you are currently interacting is loaded into memory and scrubbed after its usage. The UI control to view a password is a custom control. Editing passwords - This is the only time we use stock UI control to edit item password. For better user experience, we are not using the same custom control we use for master password. This password may or may not be found in the dump depending upon when it was freed by framework. Security is an ongoing process and we continuously improving our software in every aspect, memory sanitization being one of them. We are working on bringing in custom controls in more leakage points. Thanks.
  6. @balticsailor Next update should fix this. Beta is already out.
  7. Hi @EdF, Sorry for trouble. Please let me know the version of Enpass you currently have. You can get it from Help->About. Thanks.
  8. Hi @jibba, These files are not meant to be restore directly but here is a workaround. Take backup of your current Enpass. Uninstall and install again from windows store. Create a new vault with any password. Goto Settings->Advance Settings->Click on your data location. This data location will be having a vault.enpassdb and vault.json. Quit Enpass and replace these two files with files you want to restore. Restart Enpass and you should be able to login into restored vault. Cheers.
  9. Hi all, Sorry for inconvenience. This error means unauthorized access error from OneDrive. Somehow authorization token for OneDrive is revoked. Are you changing/adjusting your system time manually? Is it happening on your other devices too? A quick fix is to disconnect and sync again. Thanks.
  10. Hi @servilianus, I have filed a bug report. We will release a fix soon. Thanks.
  11. Hi @Dentonthebear, Sorry for late reply. We have no restriction on size when you choose custom icon. We resize an provided image to 200x200 pixels, after resizing if its size is less than 100KB, it is used as custom icon otherwise not. So, a Custom icon with 200X200 pixel and less than 100KB will always be accepted. Also, favicon support is coming soon and it will save your time from adding custom icon for every website. Thanks.
  12. Hi @Jay Mobile, There is an option to add "Software License" in Enpass under "License" category. Go to Add(+)->License->Software License. Thanks.
  13. Hi @kkupe, Sorry for inconvenience. The reason could be items does not have URLs fields or wrongly imported. Please let me know the 1Password version & format you have exported the file. Thanks.
  14. Hi @thepisu, Thanks for reporting the bug. It is already in our bug list and fix will be available in subsequent release. Thanks.
  15. @kennyeastmids Sorry. Updated the previous post.
  16. Hi @BioDave1955, Sorry for trouble. I can see two issues here. 1. Toolbar icons are not showing properly -> We are still investigating the issue. 2. Custom fields -> Did all of your custom fields disappeared? Can you give us some idea when did you added custom fields and in which version of Enpass? Thanks.
  17. Hi @Seger, The account/url provided by you is not mountable in any explorer i.e. Finder (Mac), Nautilus(Linux) or Windows Explorer. Because the url you provided is taking to web service login page. Either the WebDAV is not configured properly or the demo URL provided is not correct. I have already sent you PM about the problem on Jan 11. Thanks.
  18. Hi @stigvi, Thats true. Attachments are kept in separate files in Enpass 6, they are synchronized only when restored, added or deleted. Cheers:)
  19. Hi @rfflower, Please click on Extensions tab on downloads page on our website. Here is direct link for convenience. https://dl.enpass.io/stable/extensions/firefox/versions/v6.0.0.0-1/enpass-firefox-6.0.0.xpi Thanks.
  20. Hi all, This is certainly a False Positive. We have contacted Cisco Technical Assistance Center to look into it. Thanks.
  21. Hi @Oxymed32, My bad for pointing to wrong link. Currently, macOS Mojave is on 10.14.2. I think beta might be a issue here. Please update your system to latest version and let me know if problem still persists. Thanks.
  22. Hi @kennyeastmids, Sorry for inconvenience. Window 7 -> Please try this FIX and let me know if this works for you. https://www.enpass.io/support/enpass-starts-with-blank-white-screen-on-windows-how-can-i-fix-it/ iPad-> Please wait for next update for iOS 9.3.5 Safari extension related fix. Thanks.
  23. Hi @Harry, Goto Settings->Vaults->Primary->Change password and choose Add KeyFile from Advanced section as shown in screen shot in previous reply. Thanks.
  24. Hi @mato, New Enpass extensions can only be used with v6 because they both App and Extension use different negotiation techniques than v5. So, you can't use v6 extension with v5 app or vice-versa. Functionality wise both are equal. The only pro for v6 is, it is being actively maintained and updated. Thanks.
  25. Hi @rburgst, Filed a bug report for this issue. Thanks.
×
×
  • Create New...