Hitman

What would be the advantage over just using Enpass' built in WebDAV, DropBox etc. sync?

Maybe even better: introduce a specific kind of entry that is recognized as a vault (containing password, webdav/dropbox/etc. settings) and can be mounted/restored with one click.

It should not be attached/restored automatically, though. But it would be nice if you can easily pick an already saved vault "reference" entry and just say "restore". (Or the other way around: when selecting to add an existing  vault, allow picking an entry from one of the already opened vaults that is then used to fill in the to be restored vaults.)

17 hours ago, Frosty said:

The way Enpass works, is a slightly different way than many other passwordmanagers like for example 1Password. I like the idea of Enpass, but I think I also missing some features that the others have:

- I will get noticed when (one of) my Vaults is (tried to) opened by another location

- I will have the ability to disconnect my device from the Vault(s) when it's lost/stolen > now the vault is stored on the device. And I know it's hard to hack the vault, but it's not a safe idea that I don't have any control when my device is lost. The only way to handle this is to erase my whole iPhone with the 'find my iPhone'-app or in the Apple iCloud.

 

I think you can counter that by using WebDAV for sync. There you can track from where the access comes when syncing. Also you can change the WebDAV credentials when a device is stolen.

When a device is stolen with a vault on it (which is always available offline), you have to consider the content compromised (unless you really trust your master password and didn't store it using fingerprints). So if you change all your passwords and the one of your vault, the old information on the stolen device is useless. Triggering a remote wipe (via iOS or Android) is probably a better choice, though.

On 6/10/2020 at 8:48 AM, Mateusz said:

Hi @Pratyush Sharma and sorry for late answer.

 

Some of the websites (most are financial services like banks) use masked password entry on login. It means you have to enter only some of the password signs, e.g. first, third and the last.

If you password is 12345qwerty (hope it's not  ) and you get this input:

then you have to enter: 1,2,4 and y.

 

Which password sign you need to enter is randomize by the bank on each login.

 

Supporting this by Enpass means recognize which fields need to be filled with corresponding sign from stored password and autofill.

 

I hope it's now more clear to you.

Wow that is creepy. That implies that they store the plaintext password somewhere. Urgh.

On 5/18/2020 at 9:56 AM, Garima Singh said:

Hey @bartelsphoto

Welcome to the forum!

Thanks for letting us know that you would like to see this feature. Significant user demand is a big factor that determines our priorities for new features.  We really appreciate you for exploring the app and giving time in finding this valuable suggestion. The suggestion has been noted and forwarded to the development team.

Thanks.

Interesting point. Is there some way to see and vote feature requests? (like aha.io or within this forum?)

You can at least configure Enpass to immediately copy the TOTP code to the clipboard after auto filling the rest. So you could hit auto fill and then right away paste your clipboard content before hitting enter.

15 minutes ago, Dion said:

Hey @Kashish,

I would really like this so that I can use enpass as the storage backend for a secret manager and otp source for my work credentials. In particular, we have a VPN that requires the password appended with the related OTP for the password field to connect. The client I would add would poll enpass to request the secrets, and when enpass has been unlocked then use them to set up the vpn connection.

An enpass api is the only thing that has come close to making this secure to implement. And I don't need a full management api for it, just to be able to request credentials based on id/name once the db has been unlocked. Perhaps you could document/publish the api that is used by the browser plugins?

Best,

Dion

Since you seem to be technically versed, you can already do what you want, since Enpass uses the opensource library sqlcipher for storage.

See also:

4 hours ago, Matthieu said:

Multiple vault sync in same cloud or at lease webdav folders would be a key feature for most of us.

 

currently using 1password. Thinking to migrate to enpass (due to 1passwor new sibscription policy) as soon as multiple vault in same cloud will be available.

 

thanks

With WebDAV it's still doable. Just add the same account with different directories. As long as you don't have to rotate your WebDAV credentials (too often), it should not be that much of a problem.

On 11/9/2019 at 12:50 PM, IT'ler said:

I agree too. It's a security issue.

Erm, having multiple users using the same user account seems to be the real security issue here. That's not how a multi user system is supposed to work.

1 hour ago, xinterceptorx said:

Nothing has happened regarding this matter of properly implementing Multi-Vaul support? I need this feature as well for enpass to remain viable for me!

What do you mean? With WebDAV it works fine. I have multiple vaults, all synchronized via WebDAV.

Bump.

Any news if this is gonna be implemented or not? Anything I can do to help or to convince you that it's worth it?

On 10/22/2019 at 4:03 PM, seventhose said:

2FA like fido2 can prevent from a keylogger virus/attack and I think you have to consider it.

No, it can't. 2FA relies on the server side being in control and unmodifyable. Since Enpass works offline, all the necessary data and checks are on your machine. So an attacker can manipulate everything to his liking (system clock, etc.). Whatever second factor you choose, its secrets would have to be stored on your machine (as part of your vault) and would be protected with your password. Once this has been logged and the attacker has access to your files (which in your scenario he has), he can unlock the secrets and simply calculate the second factor. You gain no real security; you simply cost your attacker 5 more minutes of his time.

It already does support generating TOTP tokens ... which is what Google Authenticator uses.

With $30 you already have the license for all platforms. 10 for iOS, 10 for Android and 10 for Windows. Since they are lifetime and not restricted to the amount of devices (afaik), what more do you want?

Currently AutoFill is only available for Browser and Mobile. The Desktop version do not offer Autofill at all (as far as I know).

In which of these environments do you use it?

Since Enpass is a password manager ... what exactly do you need to SAP Logon that cannot be stored in a password manager? (You know: username + password for example)

Too bad this is still not implemented. I cannot fully switch (back) to Enpass :-(

Enpass will already create a sub directory called "Enpass". If you want it further down, simply add the directories to that path.

(for example https://<your-owncloud-host-domain>/remote.php/webdav/some/more/directories ... you may have to create them in advance, I guess)

2 hours ago, phg said:

The point is that the user interface really matters on a desktop app, and the Enpass 6 desktop user interface is just horrible and does not work great at all on with mouse and keyboard, because the interface was designed to be used in a tablet with touch as input. 

Well this is strange ... I use it daily on multiple Linux and Windows Workstations with keyboard and mouse and everything is fine here. I like the look and feel and also the added animations (although I would not need them). So from my perspective it really is a UI polish on top of Enpass 5. Which brings me back to my initial point: it is subjective.

1 hour ago, mjeshurun said:

6.0.0.93 didn't solve the cloud sync problem on Meizu Pro 6 running FlymeOS 6.3.0.0G. I still can't restore primary vault from cloud. 

Has you primary vault been created with a previous Enpass 6 beta version? Because the layout of the folder structure changed (the previous beta versions used a further subdirectory called "Enpass 6 Beta" ... simply move the vault out of that directory then it should work).

1 hour ago, tentimes said:

[...]The android version is only compatible with the non-app version of the windows version, [...]

What do you mean by that? You cannot access the same (shared) vault from Android and the Windows App? Are you sure the versions are identical? There is currently Enpass 5 (stable) and Enpass 6 Beta. They are not compatible (you can only convert from 5 to 6, but not back). Please check that you have Enpass 5 on Android and Windows or use the Beta on both systems (but don't forget that it is a beta ... keep backups!)

Regarding having to type the master password on desktop: I usually prefer the PIN. i.e. I have to enter the Master Password only when starting Enpass, from then on out it is enough to enter a (relatively) short PIN. Having to enter the Master Password after a reboot (or after restarting Enpass) is something I can live with. At least on a machine with a physical keyboard. So at least for the time being you could look into the PIN feature as alternative to the fingerprint (on Windows).

First of all, you should test before you buy. The free versions do work.

But regarding your problem: what exactly do you mean by they don't work together? I have enpass running on Mac, Linux, Windows and Android and they all are synced via WebDAV. So I would say they work together pretty good. Also on my Android device the fingerprint unlock works fine .... can you be more specific what doesn't work on android and how that manifests?

Paying for premium features is still far from non-free. You can still manage all passwords without restrictions. As far as I can tell, you don't lose anything in comparison to Enpass 5.

1 hour ago, havenerd said:

@Vikram Dabas @Anshu kumar Tried to get the new beta from the Debian repo and I got enpass-beta_6.0.0.149_amd64.deb, which is what I already have installed

Beware that the repo changed. So you may have to update your apt.sources.

2 hours ago, Ankur Gupta said:

Hi @Hitman,

Thanks for trying out the beta. Please make sure you have  "lsof" dependency installed on your system. 

If the problem persists, please let me know:

• Are you using multiple user on your linux machine and running the Enpass App on both users?
• Which Enpass version and Browser extension version you are using?

Thanks.

$ lsof -v
lsof version information:
    revision: 4.91
    latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
    latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
    latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
    constructed: Wed Mar 28 21:26:35 PDT 2018
    constructed by and on: builduser@anatol
    compiler: cc
    compiler version: 7.3.1 20180312 (GCC) 
    compiler flags: -DLINUXV=414008 -DGLIBCV=226 -DHASIPv6 -DNEEDS_NETINET_TCPH -DHASUXSOCKEPT -DHASPTYEPT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="4.14.8" -O
    loader flags: -L./lib -llsof 
    system info: Linux anatol 4.15.13-1-ARCH #1 SMP PREEMPT Sun Mar 25 11:27:57 UTC 2018 x86_64 GNU/Linux
    Only root can list all files.
    /dev warnings are disabled.
    Kernel ID check is disabled.

• Enpass claims to be version 6.0.0.197
• The Browser extension claims to be 6.0.0.56 (Chrome)
• I have currently only one user session - ("ps ax | grep enpass" only contains one entry)
• ss -a - l -n -p reports "tcp               LISTEN              0                    128                                                                                          0.0.0.0:10391                                             0.0.0.0:*"

All my systems are running ArchLinux and I have that problem no matter what desktop environment I tried (gnome, cinnamon, kde/plasma). Is there anything else I can check for?

Oh and Enpass 5 worked on those systems and as far as I can tell the first beta of Enpass 6 as well.