Jump to content

Hemant Kumar

Enpass team member
  • Content count

  • Joined

  • Last visited

  • Days Won


Hemant Kumar last won the day on August 24 2017

Hemant Kumar had the most liked content!

Community Reputation

49 Excellent

About Hemant Kumar

  • Rank
    Advanced Member
  1. Data Security of Enpass in times of Meltdown and Spectre

    Hi @Vincent Thanks a lot for your time and efforts for a delineated feedback. There is no point in getting offended by your post though I really appreciate that. Security of data is the utmost priority for us and what I meant with my statement was that if the OS is compromised, there is less left for a password manager to protect the user's data from malware, key-loggers which can together steal both the master password and data. I also agree with you for having the maximum added protection. The rewriting of the core is something which is required not only for the purpose of security (though this is the major reason) but also to add more functionalities with best possible UX to support multiple vaults and other most-in-demand features. By rewriting, I didn't mean ditching the used open source technologies rather I meant restructuring the architecture and the way of interaction between UI and SQLCipher. The development of new core has already been done considering all the security aspects; memory encryption and storage in memory, and we are now working on implementing it across the platforms. I agree that the release has been delayed but we are on it. We have also considered Security Audit by third party and I assure that you will definitely like the improvements and the design. This is all I can say for now. Cheers!
  2. Spectre and Meltdown

    Spectre and Meltdown are the recently disclosed, critical processor flaws affecting the security of data at the very basic level of computing system. All the major operating systems and the cloud service providers are sliding in the very required updates to patch againts these flaws. Being an Enpass user, rest assured from the data point of view. If someone is able to steal your data residing on your cloud or your device it is meaningless and pure gibberish for him without your master password. The safety of your master password is the safety of your data. It is the operating system which works in conjuction with the processor and memory to protects all the apps and processes running inside it from any kind of unauthorized access by another process. So if any malware can exploit these flaws to access data of another process or memory space, there is very less for the genuine software to protect itself. The same way, it's not wrong to say that here is nothing from our side to provide in terms of fix(s). As a user of any software, and to protect your confidential data inside it, you have to be very careful to guard your system from entry of malware inside it. First thing here is to install all the necessary updates from your OS provider and make sure you install them from their trusted channels only. In the same way install the software from the default store or the provider's website only. Don't get panic and land yourselves into installtion of any malware/scareware from unauthorized sources, faking you to protect your system from any unanticipated vulnerabilities.
  3. Custom logos and templates

    Hello @DaLass We can understand how eagerly you must have been waiting for custom icons now and I really appreciate your patience. We really take every feature request very seriously and are working on it along with a huge list of other features, and for that we are rewriting the Enpass on all the platforms for Enpass 6. It is an immense task to do and will take some more time but we assure you that you gonna like and praise it a lot. Thanks for your understanding!!
  4. Security concern

    Hi @MatMaul, as soon as the Enpass is locked, the SQLCipher database gets closed and requires master password to unlock. In case of PIN, the database stays open but Enpass will restrict any GUI access and once you enter a wrong PIN the database will be closed again requiring the master password.
  5. Security concern

    Hi @Bill Rossum We really appreciate your time taken for these findings about Enpass. We certainly do clear memory where ever it is possible but we can't clear the memory of objects we do not own, i.e. objects created internally by other libraries those Enpass is using and being displayed to you by HxD, mainly: 1. SQLCipher -> Result of queries are not zeroed out by underlaying sqlite code, so you are seeing json littering. 2. GUI Toolkits -> Enpass heavily uses Qt framework (www.qt.io), which makes us possible to provide Enpass on Windows, Mac and Linux. We have no control over Toolkit objects internal memory allocations. This is one of the main reason why we are refactoring Enpass and writing it from scratch for next major release where the whole core is being written in C/C++ offering a greater control over memory (locking, zeroing etc) and internal objects' lifespan. And the final verdict is a password manager can't be more secure than underlaying OS. If OS is set to allow any process to peek into other process' memory, there is very little a password manager can do.  If someone can install a malware to spy your system's memory it means he has that much control over the target OS that he can circumvent every protection of any password manager, for example by installing keylogger, replacing the whole Enpass binary etc. Thanks again for putting up this discussion here.
  6. Security audit

    Hello guys, I truly understand concern of all you guys regarding the third party audit. But as I said in my last post that getting the third party audit done for the current architecture will no longer be useful after the next major release, supporting multiple vaults with new architecture. So please bear with us until the next major version is ready for our lovely users (under development). Thanks for your understanding!
  7. Security audit

    Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.
  8. Copy and paste in sequence

    Hi @bjorkblom, The already planned, Auto-type feature might be useful here.
  9. Separate password for cloud sync

    Hi @gmaddry, That means the file on cloud would be encrypted with a stronger password which user won't be able to restore on another device without providing that stronger (probably unknown, if auto generated), and this whole scenario would be very confusing for some users. The best and most secure way out is to use a strong master password. Cheers!
  10. Security audit

    Hi @GENO, To make Enpass more efficient for coming features, we have decided to refactor it and then will go for Third party Audit. At this moment, I can't assure you of any ETA but this is the next thing we have targeted after attachments. Cheers!
  11. Account Security

    Hi @ericchaffey, Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws. Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update. HTTP URL by default. In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available. Subdomain password leakage. To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites. None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them. Insecure credential storage in app's private folder. Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. Read Private Data From App folder. We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder. Once again, I thank you for writing to us with your doubts and I hope this helps. Cheers!
  12. Field References

    Hello @EasilyAmused, Thanks a lot for loving Enpass and sharing your experience. Sharing of fields among various items is indeed a good feature and can really save a lot of time when you have to keep multiple items with same credentials like various Microsoft and Google services accounts or there could be various bank accounts having multiple debit cards but same login credentials. We have noted it in our roadmap to introduce in any of future versions. In fact, all they belong to same account, so for now in Enpass you can create a single item with multiple URL fields (one for each service), with a must-have field with login URL for autofilling i.e accounts.google.com for Google services as login to all their services is done through same page. Keep using Enpass with all your suggestions and feedback to help us in overall improvement of Enpass. Cheers!
  13. Security audit

    Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!
  14. Hi @7Bit Thanks for writing in. Sorry for misunderstanding. I was talking the general cause which we have observed with many users where we found that Antivirus was blocking the connection silently. Though there was also an issue where extension shows connection error, but only when Enpass App started after the error had been displayed and Enpass App hadn't come to foreground. We have fixed this issue here and release of this update for extensions is due soon. Just to make sure, I would like to ask if Enpass App is running in background the moment when you try to autofill. May be you would have hit the close button of main Enpass Window quitting the App and thus losing the connection between extension and App. If this is so, Enpass is working as expected because the main App must be running always to let browser extension autofill. In that case, there is an option in Enpass settings to keep it running in background by minimizing it to system tray. Also you can set Enpass to auto run on system startup so that you don't have to manually start it every time the system starts. But if you're doing it with main Enpass app running and still facing the issues then there could be some deep lying bug for which we need to investigate on higher priorities. And in that case we might need your help with some queries to reproduce the issue here in our lab as we are unable to produce it here on systems with Windows 10 and AVG. Thanks for your co-operation!