Bill Rossum

+1 PLEASE ADD THIS. I have a Ledger Nano S cryptocurrency hardware wallet which can act as a U2F hardware device which I would love to be able to use in place of a master password.

I've been playing around with the HxD editor today, and it has a nice built in feature that lets you view the memory of another process. This gave me the idea to check whether Enpass was exposing your sensitive information in memory. I opened up the running Enpass process in HxD, and did a simple string search for one of my passwords. Surprisingly, I was able to find multiple occurrences of my password stored as a raw string in memory, even while Enpass was locked (without PIN enabled). I was also able to find secure notes, usernames, TOTPs, and other sensitive information that I was not even accessing in the Enpass window. I tried finding many different entries, and one time I found a JSON encoded string containing lots of sensitive data including passwords, which would make it especially easy for an attacker to dump the database. I understand that there are some cases where exposing the sensitive data in memory is necessary, but it is concerning to me that they lots of it seem to be littered everywhere, especially when unnecessary, and even after locking Enpass. Another thing to note is that HxD didn't even require UAC privileges to view the memory, which means this information is exposed to literally any other program running on your machine. Though I haven't attempted to, I think it would be quite easy to write a program to pull your passwords from the Enpass memory. Surely it is possible to encrypt the information in memory, and only expose it when displaying it on screen or copying it to the clipboard? Perhaps it would also be beneficial to clear the memory when you lock the database, with the exception of when a PIN is enabled? Screenshot taken of HxD after locking the wallet:

I would like to see this feature as well.

I also would like to see this feature implemented.

These days, it's hard to not leave behind a digital footprint. People can often learn a lot about you just by googling your username. I think that Enpass could really help solve this problem by offering a random username generator. The usernames could be nonsensical, or they could be created from a predefined dictionary. It would also be nice to have a general random generator so that you could generate random values for any field, but I think this would be more difficult to implement. One possible use case would be randomly selecting an email to use from a list of your email addresses, which would also make it harder for people to track your online activities.

Wow, thanks for telling me. I had no idea that this already existed. Great job team.

Google Authenticator 2FA Implementation Hi, First off, I would like to start by saying I love the product and I use both the desktop and paid mobile version. I think it would be great if there was something built into Enpass that could replace Google Authenticator, something that is able to store your 2 factor authentication secrets, and then display and copy the codes. In the past when ever I've dealt with Authenticators, it has always been a struggle to keep the secrets synced between devices, and I know this is a strong point for Enpass. I think this could be a feature that would draw a lot of people to Enpass. Thank you for your consideration.