I've been using Enpass for a while now and i'm well satisfied as my first password manager. An aspect that concern me the the most though, is the lack of protection aganist a master password sniffing attack or leak.
Basically, as i understand, if you have the master password you can decrypt the database and take all the passwords, easy, without a second factor authenticantion or somenthing similar to stop it. And since you need to manually insert the master password everytime you want to unlock Enpass, this make the job easy for a keylogger, a zero day virus, or even a random security camera watching the screen of your smarthphone. Even if you have enabled the PIN option, you still need to insert the master password at least once a day.
To remedy this, many password managers such as 1Password uses a secondary password called Secret password created locally by the password manager itself that you never need to type. I don't really know how it works since i never used it, but i got a similar idea: It would be possible to use the PIN to only unlock Enpass (the application itself), and leave the master password to crypt the database? So, even if the PIN get sniffed, it could be used only on that same device / Enpass instance. By letting only Enpass itself handle the master password internally.
It's only a concept obviously, but it would be nice to a have an extra layer of protection.
Also, i noticed that the auto-fill uses by default the "username" and "password" fields to fill all the login screens, even those who ask you for your "email" and "password". It would be also nice if you could choose what field use to auto-fill the request data, or make Enpass automatically recognizes which field to use by reading the web page or app window.
