Anonym Potato

I just tried...

when I restart the device, 1Password asks to reenter the master password. Whats the difference?

Retaining the master password in memory, like on desktops???

My whole problem is, that the password is stored permanent on the Flash memory. If you turn off your phone, the master password can still be recovered.

All the other password managers do it like this. Why does Enpass thinks, the user is unable to enter the master password on device restart? I would even say, that this makes it much more probable to forget your password, if you never have to retype it.

Articles like this: https://resources.infosecinstitute.com/ios-application-security-part-12-dumping-keychain-data/#gref

describe how to extract this data. The fact that you refuse an security audit for ios and that master keys are physically stored, make me really nervous.

The Security Whitepaper says: „Enpass stores an obfuscated version of your master password in iOS Keychain that can only be accessed by Enpass“

I don‘t understand why the masterkey needs to be stored on the flash memory. Even if this protects the key against other apps. It don‘t protects the key from being physically retrieved.

I don‘t get why this risk is even necessary. Why can we not get the same security like 1Password users, by simply entering the key on every startup.

How can I uninstall Enpass on my Linux (Ubuntu 19.04) machine?

I just moved to MiniKeePass.

This app is a bit outdated, but because of a working security model still a much more secure alternative.

It is really sad, but Enpass give no f** about security. Still no security audit for iOS, master keys stored on the flash memory, secondary keys stored in primary database.

Why don't you open source your code? Open source don't mean free, and I don't think that a lot of people would build the software from the source code. Nobody is wasting so much time, to save 12€. Enpass is cheap as hell, and no one, would pirate it.

Do you know, if there is any good Keepass Port for iOS?

I like, MiniKeePass, but the project seems to be dead.

Hello, I am relatively new to Enpass,

I noticed, that after reboot, I can use the PIN to access my fault. How can this be secure?
This means that the Masterpassword is stored locally on the flash memory.

This and the fact, that there have never been an security audit for iOS really worries me.

Can someone explain to me, how this might possibly secure? I have a feeling, that the reason, why there is no security audit is, that they know, that there is no way there application passes the audit.

When does there comes an security audit for iOS?

Just found the solution by myself:

below the "Share" button there is a "..."
When you tap it, you get the Option "Add to Vault" > "Move"

I am using Enpass for one day and I still having an hard time figuring out, how to do basic stuff.

How can I move Objects from one fault to another?

I just understood, that the problem was, that on the webdav was another db file.

Problem solved.

Hello, I just managed to enable webdav, but it still won't sync. I entered the right url username and password.

I get an message:
"Sync Error      Password of data on WebDAV is required"

When I tap on Resolve, I can enter the webdav  password again.

Afterwards it gives me an weird message:
"Please note that after the sync, the password of data on WebDAV will be changed to password of "Tresor-Name" vault."

What does this mean? What can I do?

I am using an iPhone XR on the latest iOS version.

Ok. I just bought the App vor MacOS and iOS. I hope Sinew will fix this soon. Until then, I will have to continue paying for 1Password.
Why not add an feature like this as en add-on? I am sure there are a lot of people filling to pay 5€ to get more security.

It is really sad, because this might be such an ideal way to get away from this multiple password manager work around.

Because this adds an single point of failure. If the primary password is leaked, everything is leaked. Because there is information with different kind of security levels, this is essential.

An other problem is, that in my company the use of PIN-codes and Biometric authentication like Touch-ID, is against the compliance we ensure customers. Also it is unsure if this is compliant with GDPR (because encryption keys are insufficient secured), which might result in fines up to 10.000.000 EUR (about 11.000.000 USD).

It is the same Problem with 1Password. I don't get why this is still a thing. At the moment I am simply using multiple password managers.

I hoped to be able to store everything in the same place. This features should not be so difficult to implement!
Why is this no problem for everyone?

This is so bad, because secondary faults would be ideal to store crypto seeds. Client information... so information that is extremely critical.

When its key is stored in the primary vault, this means, it can be accessed with PIN or Touch-ID. Witch is not secure (and in a lot of cases, infringe compliance rules like ISO-norms and GDPR)

But. why. Is this not an extremely dumb and insecure behaviour?

For the moment it would be enough if multiple passwords would be only possible on the phone (iOS). One the computer I don't have to manage multiple faults (separated personal and work pc)

Hello, I want to buy Enpass Premium, to be able to have multiple faults.

My Question is, is it possible, not to store the password of the secondary vault in the primary vault?
I don't need any auto unlock features. Entering the password every time, is perfectly fine.

This page indicates this is default:

"When you create multiple vaults, the passwords of other vaults are stored securely in the Primary vault and are removed when you delete the vault. That’s why when you unlock Enpass, all the vaults get unlocked automatically." - https://www.enpass.io/docs/manual-desktop/vault.html#vaults-in-enpass

Can this be changed?

I need different faults for work and private. I don't want any auto-unlock features or stored passwords for my work-data.