Jump to content
Enpass Discussion Forum

Ivarson

Members
  • Posts

    173
  • Joined

  • Last visited

  • Days Won

    36

Everything posted by Ivarson

  1. Today when I launched Enpass latest beta) on my pc running Windows 10 Creators update, Enpass showed me the welcome dialog all of a sudden. New user or restore existing database. My wallet resides on a removable drive, having only a mount point, not a drive letter. I immediately checked that the drive was mounted at the expected path and that it was accessible. I relaunched Enpass but still the dialog appeared. As soon as I hit restore database, the wallet and its sync copy vanished from the USB drive. No harm done since I've got cloud backup but I don't get why it didn't recognized the existing database. The registry key for changedlocation was present and correct in hkcu.
  2. Just wanted to get a hint on how everybody else is using Enpass and at the same time show my setup. I use an USB-wristband for portability. I've got one layer of bitlocker using aes128 autounlock with tpm) and within that the walletx with its own aes256. Instead of the Enpass Portable I've got Enpass desktop installed on my three PCs pointing to an USB drive. That way I split up meta settings for Enpass in the registry and vault on a removable drive. Also when frequently synchronizing, the performance is better when executables that aren't secret reside on a local drive. I use cloud sync, so local backup isn't necessary. I only mount the USB stick and vault when required, and never run Enpass in the background. Critical secrets like Google or Microsoft are not stored in the vault, only their TOTP.
  3. Of course, maybe i was a bit misleading. The point is that Enpass doesn't do security validation on the URLs you're doing autofill on. That's part of the reason the devs require the user to hit autofill via the hotkey or plugin-button. The security has to lie in you, your OS and the browswer. Like when you visit your home router at "192.168.x.1" which of course isnt even an dnsname. At best, you've got a self-signed certificate which the browser hopefully warns you about, That does encrypt the traffic but doesnt ensure the identity of the router. Enpass doesn't care though, neither should it imho.
  4. Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill.
  5. Some suggestions for the mobile apps: Scan barcodes/QRs. generate those codes back as an fullscren-image, to show in the store etc. Scan NFC-tags. Export secret to another NFC-host? wouldn't that be a cool offline-way to share a secret with someone? In Android, Let Enpass be a target in "Share to"-menu for textstrings and numbers. Themes, c'mon.. light/dark atleast, you did it in the UWP-app ;-) in Android Wear-app, if only one field is shown on watch, increase that one textstring and center it, like you do on TOTP when shown on wear-app.
  6. This is the reason why there's a much read thread regarding security audit in this very section. :-)
  7. @Hemant Kumar great news indeed! Thanks!
  8. Good stuff. Now when attachments can be added to a record, it would be nice being able to search for attachments and sort results by size, if I quickly want to reduce the size on the wallet by removing the biggest attachment.
  9. Agree. The fact that sync is available for free too makes it very usable. I'd really like to see some report of an security-audit though but I don't doubt the devs when they say it's pricy... The common Enpass-user probably buys the mobile app for their corresponding plattform, which is about the same price as a 1-year subscription for other products.. I did actually buy the Windows Store-app mostly to support Enpass, the product doesn't replace the desktop version and it doesn't really offer that much functionality other than Windows Hello-support, but i feel like i support the team in both economic ways and by supplying feedback for additional plattforms..
  10. I think much of it depends on her skills with IT and whether she'll use enpass in daily life. If she's totally green on computers in general you wouldn't have her to worry about a relatively small software to work on a specific device/OS the day you pass on. Maybe store stuff in enpass and do regular export-printouts to paper and lock those in a safe? If she's into IT like you though (but just not custom to keep records of passwords) then sure go ahead keeping them digitalized and encrypted. As you said yourself, maybe static information like bankaccounts and insurance-docs doesn't need to roam over devices like logins tend to do with syncing. Other then enpass, there's of course a multitude of software for this. What if you want to store some scanned documents in pdf format, or other pictures or files in the "wallet"? Enpass is not a filecontainer in that sense, it's a database/record-oriented solution which on the other hand makes cataloging, syncing and searching easy and less error-prone . A software like VeraCrypt (derivate of TrueCrypt) lets you store anything inside it and is also cross-platform and available as portable edition. With VeraCrypt you can also require a specific file to be available to open the vault. So theoretically you can store that key-file in a usbdrive (and wear it around your neck or lock it in) , telling her that file is needed to access the main-vault.
  11. My 2 cents... That is an essential question. Colocation of sensitive information into one place with added security is generally what you do with most your secrets or valuables such as passwords, creditcards (in the wallet) or money (the bank :-)) The main-problem today is that passwords as a single authentication-challenge is too vague. Too often, theyre not properly protected at the site storing them. As a quantifier, we often re-use them, so gaining access to an email + password at a website many times gives access to 10 other sites,. A password manager sorta moves the issue from having one password stored at 100 locations into having it stored at 1 (with a master password). The issue isnt entirely solved, but at least you've compensated for those forums that didn't ran security updates since 2014 and are affected by heartbleed, poodle and whatnot. So you wont need to panic about public password-dumps like those on Flashback.org and immediately visit https://haveibeenpwned.com/ What I like about Enpass is; I can place these secrets whereever I want, at any disk, any site, cloud, removable media etc, Im not bound to store them where "thieves" start looking. Im not forced to bundle 100% of my credentials in ONE wallet-file. I can choose to place some less-sensitive secrets in one wallet which I sync, and other critical stuff in an ofline location like a removable drive or a disc which isnt even mounted other than when I actually need it. Having that said, there's LOTS of factors that come into play. Is the Master Password a sufficent challange to access all my stuff, or do I require another factor (2FA)? A peek over your shoulder is enough for someone to gain access to all stuff, if gaining access to the wallet. A keyboard-logger can easily be snuck into the back of a workstation, Heck, KeySweeper doesnt even require physical connection to your computer to intercept keystrokes from a wireless Microsoft-keyboard. Storing a second authentication factor ALONG with the first one in the same place generally beats the purpose, at least partially, Use wisely. What are the consequences if my wallet gets compromized? can I recover or will my life be over? (e.g I never store the credentials for my primary email anywhere, since that in the wrong hands with "forgot my password" would result in access to any accound, theoretically. Many people today stare themselves blind on the level of encryption, "Oh its AES-256, that's militarygrade so its safe, Period, the competitor is just using 128-bits!". Sure the enc. implementation is of esssence, but its not "period". A simple comparision-instruction could potentially be swapped by a skilled rev. engineer to set security aside, (im not implying anything specific to Enpass here)Im just saying that often, security mechanisms aren't broken brute-force, they're simply bypassed, Do I NEED to store the PIN for my creditcard in a passwordmanager? I remember it just fine prior to using any pwdmanager, so why should I store it outside my head? IMHO, there's simply a balance between security and usability, between wisdom and stupidity. but its individual Sorry for the.. hefty content,
  12. Mail sent (for participation in Swedish translation)
  13. The Edge plugin roadmap can be followed here https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/extensions/api-support/extension-api-roadmap/ No plans for loopback connectivity, but an "consideration" to be able to download files programmatically via plugin. Maybe the plugin could perform all necessary operation itself directly on the wallet? Either from original wallet file or network share as given the option in Sync options, or one downloaded from a cloud provider, fetched by the plugin itself. Having the plugin performing updates to the wallet such as changing password records might be overkill, one could do that stuff in native clients having it immediately synced by the plugin. Would be neat to hear the devs view on this.
  14. Not the same, no. Although the differences are indeed being smoothed out with clientside hashing/encryption for lastpass etc. But when using Enpass, even if I use Google Drive, I can rest asure that its just being used as a "dump transport-service", that is, Google never has a clue of the content of the file, but I can be assured that the file is available since the stability of Google's service in general. (i did use a local owncloud-instance first, but it felt overkill to dedicate a virtual owncloud-machine solely to a wallet-file for enpass :-) One thing which indeed is intruging, maybe thats what you meant in the first Place. Wouldn't it be possible for devs here to write an Edge plugin, with the ability to open a wallet directly from a cloud-provider? That is, an Edge-plugin which pretty much acts like a complete Enpass-client itself. In that case, I as an Win10 user and UWP-app customer, would only need the UWP app and the Edge app, not the desktop version.
  15. Read above. Edge, along with its UWP platform does its best to isolate apps from reaching other apps or processes running on the same machine (loopback). for security concerns mainly. Lastpass and others have their users connect to their cloud to access secrets, hence no loopback communication, so no issue with Network Isolation in UWP
  16. +1 If you choose not to share the source, its sorta up to you to pay some third party to review the code with NDA. And as Gili said, no one expects reoccuring audits. Its mostly, or at least about customers needing to know that you've implemented cryptography in a acceptable way and of course that there are no additional ways in to a running process of Enpass.
  17. Along with open sourcing, external audits which has already been asked for, i'd really like to be able to opt out of google analytics and (other?) tracking mechanism. this is a password vault, it feels sorta creepy
  18. Thank you guys for the portable version, great work! Im actually thinking about dropping the desktop-version on my two Win PC's for this one, in additiona to the phone app. Here's my wishlist: 1. In enpass.conf, my webdav url is in cleartext, since I host it at home, id like the url to be encoded if the USB-drive is lost. is that possible? (for now, I enabled bitlocker on the drive to hide such metainfo).. 2. I'd like a fast option to launch enpassportable with my wallet. In most cases, the wallet will reside next to executable on the USB-stick so I'd want to be able to hardcode a path like " .\ " (working directory or execution path). Obviously tried it but there seemed to be a bug: "ChangedLocationPath=".SubtitleVisible=true"" appeard instead :-) edit: That is, id like the working directory to be pre-selected, skipping the "browse" nad "recent"-dialog. thank! edit 2: In addition, the Recent-dialogue won't allow me to use TabStop and select the stored path of the wallet-file, I have to use the mouse to point'n click. I navigate between apps mostly with keyboard and shortcuts and being forced to use the mouse is an exta moment in launching the app :-)
  19. It's not quite up to team Enpass. "network isolation" has been a "feature" of RT/UWP since win 8. The beta version of Enpass and its related plugin for edge works fine, if you create a local exception, but if there is ANY app you wouldn't want to loosen security on, it's a web browser . . The only thing that sorta bugs me is why you (Enpass devs) promised a release. Where you taken by surprise to hear that exceptions for network isolation was meant only for debug and development , or have you heard from ms that had plans to allowing it in production / store apps ?
  20. I like the TOTP feature. For my primary email I only store the TOTP in Enpass,not the password (which is unique from other password but not as complex,so I have no trouble memorizing it. If my email provider didn't support TOTP I'd never store its single factor password in any password manager, "forgot your password" feature on all other accounts would sorta break the security completely IMHO.
×
×
  • Create New...