Jump to content

Hemant Kumar

Enpass team member
  • Content count

    95
  • Joined

  • Last visited

  • Days Won

    23

Hemant Kumar last won the day on August 24 2017

Hemant Kumar had the most liked content!

Community Reputation

49 Excellent

About Hemant Kumar

  • Rank
    Advanced Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hemant Kumar

    Security audit

    We are on it and the audit will start with the final Betas of Enpass. We assure you that the final release in the market will be duly audited. Thanks a lot for your patience and understanding.
  2. Hemant Kumar

    Security audit

    Hey guys, We understand that security audit of Enpass has grown significant mass and holds the first priority for all of us. The frequency of comments on this post has become an occasional topic of conversation here pushing us to deliver the beta of Enpass 6 as soon as possible. As I mentioned previously, the best way to audit Enpass would be for the new architecture only because doing it for the current version shall all be in vain. No excuse that we are late in releasing the Enpass 6 but that was due to some unavoidable issues and feature updates. Your best wishes for good luck are what we need always but nothing is more painful than parting from you. All I can say at the moment is to please wait for some more time as the New avatar of Enpass is on the way. Thanks a lot for your understanding!
  3. Hemant Kumar

    Data Security of Enpass in times of Meltdown and Spectre

    Hi @Vincent Thanks a lot for your time and efforts for a delineated feedback. There is no point in getting offended by your post though I really appreciate that. Security of data is the utmost priority for us and what I meant with my statement was that if the OS is compromised, there is less left for a password manager to protect the user's data from malware, key-loggers which can together steal both the master password and data. I also agree with you for having the maximum added protection. The rewriting of the core is something which is required not only for the purpose of security (though this is the major reason) but also to add more functionalities with best possible UX to support multiple vaults and other most-in-demand features. By rewriting, I didn't mean ditching the used open source technologies rather I meant restructuring the architecture and the way of interaction between UI and SQLCipher. The development of new core has already been done considering all the security aspects; memory encryption and storage in memory, and we are now working on implementing it across the platforms. I agree that the release has been delayed but we are on it. We have also considered Security Audit by third party and I assure that you will definitely like the improvements and the design. This is all I can say for now. Cheers!
  4. Hemant Kumar

    Spectre and Meltdown

    Spectre and Meltdown are the recently disclosed, critical processor flaws affecting the security of data at the very basic level of computing system. All the major operating systems and the cloud service providers are sliding in the very required updates to patch againts these flaws. Being an Enpass user, rest assured from the data point of view. If someone is able to steal your data residing on your cloud or your device it is meaningless and pure gibberish for him without your master password. The safety of your master password is the safety of your data. It is the operating system which works in conjuction with the processor and memory to protects all the apps and processes running inside it from any kind of unauthorized access by another process. So if any malware can exploit these flaws to access data of another process or memory space, there is very less for the genuine software to protect itself. The same way, it's not wrong to say that here is nothing from our side to provide in terms of fix(s). As a user of any software, and to protect your confidential data inside it, you have to be very careful to guard your system from entry of malware inside it. First thing here is to install all the necessary updates from your OS provider and make sure you install them from their trusted channels only. In the same way install the software from the default store or the provider's website only. Don't get panic and land yourselves into installtion of any malware/scareware from unauthorized sources, faking you to protect your system from any unanticipated vulnerabilities.
  5. Hemant Kumar

    Custom logos and templates

    Hello @DaLass We can understand how eagerly you must have been waiting for custom icons now and I really appreciate your patience. We really take every feature request very seriously and are working on it along with a huge list of other features, and for that we are rewriting the Enpass on all the platforms for Enpass 6. It is an immense task to do and will take some more time but we assure you that you gonna like and praise it a lot. Thanks for your understanding!!
  6. Hemant Kumar

    Security concern

    Hi @MatMaul, as soon as the Enpass is locked, the SQLCipher database gets closed and requires master password to unlock. In case of PIN, the database stays open but Enpass will restrict any GUI access and once you enter a wrong PIN the database will be closed again requiring the master password.
  7. Hemant Kumar

    Security concern

    Hi @Bill Rossum We really appreciate your time taken for these findings about Enpass. We certainly do clear memory where ever it is possible but we can't clear the memory of objects we do not own, i.e. objects created internally by other libraries those Enpass is using and being displayed to you by HxD, mainly: 1. SQLCipher -> Result of queries are not zeroed out by underlaying sqlite code, so you are seeing json littering. 2. GUI Toolkits -> Enpass heavily uses Qt framework (www.qt.io), which makes us possible to provide Enpass on Windows, Mac and Linux. We have no control over Toolkit objects internal memory allocations. This is one of the main reason why we are refactoring Enpass and writing it from scratch for next major release where the whole core is being written in C/C++ offering a greater control over memory (locking, zeroing etc) and internal objects' lifespan. And the final verdict is a password manager can't be more secure than underlaying OS. If OS is set to allow any process to peek into other process' memory, there is very little a password manager can do.  If someone can install a malware to spy your system's memory it means he has that much control over the target OS that he can circumvent every protection of any password manager, for example by installing keylogger, replacing the whole Enpass binary etc. Thanks again for putting up this discussion here.
  8. Hemant Kumar

    Security audit

    Hello guys, I truly understand concern of all you guys regarding the third party audit. But as I said in my last post that getting the third party audit done for the current architecture will no longer be useful after the next major release, supporting multiple vaults with new architecture. So please bear with us until the next major version is ready for our lovely users (under development). Thanks for your understanding!
  9. Hemant Kumar

    Security audit

    Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.
  10. Hemant Kumar

    Copy and paste in sequence

    Hi @bjorkblom, The already planned, Auto-type feature might be useful here.
  11. Hemant Kumar

    Importing TOTP/OTP usually fails

    Hi @Yogi, Was fixed in ver 5.5.2.
  12. Hemant Kumar

    Separate password for cloud sync

    Hi @gmaddry, That means the file on cloud would be encrypted with a stronger password which user won't be able to restore on another device without providing that stronger (probably unknown, if auto generated), and this whole scenario would be very confusing for some users. The best and most secure way out is to use a strong master password. Cheers!
  13. Hemant Kumar

    Security audit

    Hi @GENO, To make Enpass more efficient for coming features, we have decided to refactor it and then will go for Third party Audit. At this moment, I can't assure you of any ETA but this is the next thing we have targeted after attachments. Cheers!
  14. Hemant Kumar

    Account Security

    Hi @ericchaffey, Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws. Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update. HTTP URL by default. In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available. Subdomain password leakage. To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites. None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them. Insecure credential storage in app's private folder. Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. Read Private Data From App folder. We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder. Once again, I thank you for writing to us with your doubts and I hope this helps. Cheers!
  15. Hemant Kumar

    Field References

    Hello @EasilyAmused, Thanks a lot for loving Enpass and sharing your experience. Sharing of fields among various items is indeed a good feature and can really save a lot of time when you have to keep multiple items with same credentials like various Microsoft and Google services accounts or there could be various bank accounts having multiple debit cards but same login credentials. We have noted it in our roadmap to introduce in any of future versions. In fact, all they belong to same account, so for now in Enpass you can create a single item with multiple URL fields (one for each service), with a must-have field with login URL for autofilling i.e accounts.google.com for Google services as login to all their services is done through same page. Keep using Enpass with all your suggestions and feedback to help us in overall improvement of Enpass. Cheers!
×