Jump to content

Hemant Kumar

Enpass team member
  • Content count

  • Joined

  • Last visited

  • Days Won


Hemant Kumar last won the day on August 24

Hemant Kumar had the most liked content!

Community Reputation

48 Excellent

About Hemant Kumar

  • Rank
    Advanced Member
  1. Custom logos and templates

    Hello @DaLass We can understand how eagerly you must have been waiting for custom icons now and I really appreciate your patience. We really take every feature request very seriously and are working on it along with a huge list of other features, and for that we are rewriting the Enpass on all the platforms for Enpass 6. It is an immense task to do and will take some more time but we assure you that you gonna like and praise it a lot. Thanks for your understanding!!
  2. Security concern

    Hi @MatMaul, as soon as the Enpass is locked, the SQLCipher database gets closed and requires master password to unlock. In case of PIN, the database stays open but Enpass will restrict any GUI access and once you enter a wrong PIN the database will be closed again requiring the master password.
  3. Security concern

    Hi @Bill Rossum We really appreciate your time taken for these findings about Enpass. We certainly do clear memory where ever it is possible but we can't clear the memory of objects we do not own, i.e. objects created internally by other libraries those Enpass is using and being displayed to you by HxD, mainly: 1. SQLCipher -> Result of queries are not zeroed out by underlaying sqlite code, so you are seeing json littering. 2. GUI Toolkits -> Enpass heavily uses Qt framework (www.qt.io), which makes us possible to provide Enpass on Windows, Mac and Linux. We have no control over Toolkit objects internal memory allocations. This is one of the main reason why we are refactoring Enpass and writing it from scratch for next major release where the whole core is being written in C/C++ offering a greater control over memory (locking, zeroing etc) and internal objects' lifespan. And the final verdict is a password manager can't be more secure than underlaying OS. If OS is set to allow any process to peek into other process' memory, there is very little a password manager can do.  If someone can install a malware to spy your system's memory it means he has that much control over the target OS that he can circumvent every protection of any password manager, for example by installing keylogger, replacing the whole Enpass binary etc. Thanks again for putting up this discussion here.
  4. Security audit

    Hello guys, I truly understand concern of all you guys regarding the third party audit. But as I said in my last post that getting the third party audit done for the current architecture will no longer be useful after the next major release, supporting multiple vaults with new architecture. So please bear with us until the next major version is ready for our lovely users (under development). Thanks for your understanding!
  5. Security audit

    Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.
  6. Copy and paste in sequence

    Hi @bjorkblom, The already planned, Auto-type feature might be useful here.
  7. Separate password for cloud sync

    Hi @gmaddry, That means the file on cloud would be encrypted with a stronger password which user won't be able to restore on another device without providing that stronger (probably unknown, if auto generated), and this whole scenario would be very confusing for some users. The best and most secure way out is to use a strong master password. Cheers!
  8. Security audit

    Hi @GENO, To make Enpass more efficient for coming features, we have decided to refactor it and then will go for Third party Audit. At this moment, I can't assure you of any ETA but this is the next thing we have targeted after attachments. Cheers!
  9. Account Security

    Hi @ericchaffey, Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws. Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update. HTTP URL by default. In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available. Subdomain password leakage. To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites. None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them. Insecure credential storage in app's private folder. Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. Read Private Data From App folder. We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder. Once again, I thank you for writing to us with your doubts and I hope this helps. Cheers!
  10. Field References

    Hello @EasilyAmused, Thanks a lot for loving Enpass and sharing your experience. Sharing of fields among various items is indeed a good feature and can really save a lot of time when you have to keep multiple items with same credentials like various Microsoft and Google services accounts or there could be various bank accounts having multiple debit cards but same login credentials. We have noted it in our roadmap to introduce in any of future versions. In fact, all they belong to same account, so for now in Enpass you can create a single item with multiple URL fields (one for each service), with a must-have field with login URL for autofilling i.e accounts.google.com for Google services as login to all their services is done through same page. Keep using Enpass with all your suggestions and feedback to help us in overall improvement of Enpass. Cheers!
  11. Security audit

    Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!
  12. Hi @7Bit Thanks for writing in. Sorry for misunderstanding. I was talking the general cause which we have observed with many users where we found that Antivirus was blocking the connection silently. Though there was also an issue where extension shows connection error, but only when Enpass App started after the error had been displayed and Enpass App hadn't come to foreground. We have fixed this issue here and release of this update for extensions is due soon. Just to make sure, I would like to ask if Enpass App is running in background the moment when you try to autofill. May be you would have hit the close button of main Enpass Window quitting the App and thus losing the connection between extension and App. If this is so, Enpass is working as expected because the main App must be running always to let browser extension autofill. In that case, there is an option in Enpass settings to keep it running in background by minimizing it to system tray. Also you can set Enpass to auto run on system startup so that you don't have to manually start it every time the system starts. But if you're doing it with main Enpass app running and still facing the issues then there could be some deep lying bug for which we need to investigate on higher priorities. And in that case we might need your help with some queries to reproduce the issue here in our lab as we are unable to produce it here on systems with Windows 10 and AVG. Thanks for your co-operation!
  13. Hi @Essex I can understand the inconvenience caused to you while connecting Enpass with Chrome browser. The thread where you posted has been merged here, discussing the same issue. The connection issue with browser (in some systems) may be because of the architecture of Enpass, and in that case it can't be considered as bug in Enpass but the issue could be due to configuration of Antivirus, Firewall or Proxy in user's system. Actually, being an offline password manager, Enpass works differently than the online PMs where their extension communicates directly with their servers through internet while the Enpass extension communicates with main Enpass App locally through web sockets over localhost (without your data actually sent outside through internet). And, generally Enpass extension successfully connects with the main App, but in some systems the configuration of Firewall, Antivirus or proxy might block or interrupt the communication and user has to grant access to that connection, exclusively. Also, you don't need to worry about the security of your data with Enpass. We are very committed towards the performance of Enpass and takes any issue very seriously and so far, due to offline nature of Enpass no such security flaw has been encountered in Enpass. One thing we can assure you is our commitment and support for Enpass. So please check and let us know if you're behind any firewall or proxy, so that we can help you in resolving the connection problem. As always, with affection Cheers!
  14. Password generator open source?

    Hi, guys! Thanks for writing in. This year we have plans to refactor Enpass, and we are also considering to open source few components (those which do not conflict our business interests) including the password generator. Cheers!