Jump to content

Hemant Kumar

Enpass team member
  • Content count

  • Joined

  • Last visited

  • Days Won


Hemant Kumar last won the day on August 24

Hemant Kumar had the most liked content!

Community Reputation

46 Excellent

About Hemant Kumar

  • Rank
    Advanced Member
  1. Security audit

    Hello guys, I truly understand concern of all you guys regarding the third party audit. But as I said in my last post that getting the third party audit done for the current architecture will no longer be useful after the next major release, supporting multiple vaults with new architecture. So please bear with us until the next major version is ready for our lovely users (under development). Thanks for your understanding!
  2. Security audit

    Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.
  3. Copy and paste in sequence

    Hi @bjorkblom, The already planned, Auto-type feature might be useful here.
  4. Separate password for cloud sync

    Hi @gmaddry, That means the file on cloud would be encrypted with a stronger password which user won't be able to restore on another device without providing that stronger (probably unknown, if auto generated), and this whole scenario would be very confusing for some users. The best and most secure way out is to use a strong master password. Cheers!
  5. Security audit

    Hi @GENO, To make Enpass more efficient for coming features, we have decided to refactor it and then will go for Third party Audit. At this moment, I can't assure you of any ETA but this is the next thing we have targeted after attachments. Cheers!
  6. Account Security

    Hi @ericchaffey, Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws. Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update. HTTP URL by default. In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available. Subdomain password leakage. To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites. None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them. Insecure credential storage in app's private folder. Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. Read Private Data From App folder. We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder. Once again, I thank you for writing to us with your doubts and I hope this helps. Cheers!
  7. Field References

    Hello @EasilyAmused, Thanks a lot for loving Enpass and sharing your experience. Sharing of fields among various items is indeed a good feature and can really save a lot of time when you have to keep multiple items with same credentials like various Microsoft and Google services accounts or there could be various bank accounts having multiple debit cards but same login credentials. We have noted it in our roadmap to introduce in any of future versions. In fact, all they belong to same account, so for now in Enpass you can create a single item with multiple URL fields (one for each service), with a must-have field with login URL for autofilling i.e accounts.google.com for Google services as login to all their services is done through same page. Keep using Enpass with all your suggestions and feedback to help us in overall improvement of Enpass. Cheers!
  8. Security audit

    Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!
  9. Hi @7Bit Thanks for writing in. Sorry for misunderstanding. I was talking the general cause which we have observed with many users where we found that Antivirus was blocking the connection silently. Though there was also an issue where extension shows connection error, but only when Enpass App started after the error had been displayed and Enpass App hadn't come to foreground. We have fixed this issue here and release of this update for extensions is due soon. Just to make sure, I would like to ask if Enpass App is running in background the moment when you try to autofill. May be you would have hit the close button of main Enpass Window quitting the App and thus losing the connection between extension and App. If this is so, Enpass is working as expected because the main App must be running always to let browser extension autofill. In that case, there is an option in Enpass settings to keep it running in background by minimizing it to system tray. Also you can set Enpass to auto run on system startup so that you don't have to manually start it every time the system starts. But if you're doing it with main Enpass app running and still facing the issues then there could be some deep lying bug for which we need to investigate on higher priorities. And in that case we might need your help with some queries to reproduce the issue here in our lab as we are unable to produce it here on systems with Windows 10 and AVG. Thanks for your co-operation!
  10. Hi @Essex I can understand the inconvenience caused to you while connecting Enpass with Chrome browser. The thread where you posted has been merged here, discussing the same issue. The connection issue with browser (in some systems) may be because of the architecture of Enpass, and in that case it can't be considered as bug in Enpass but the issue could be due to configuration of Antivirus, Firewall or Proxy in user's system. Actually, being an offline password manager, Enpass works differently than the online PMs where their extension communicates directly with their servers through internet while the Enpass extension communicates with main Enpass App locally through web sockets over localhost (without your data actually sent outside through internet). And, generally Enpass extension successfully connects with the main App, but in some systems the configuration of Firewall, Antivirus or proxy might block or interrupt the communication and user has to grant access to that connection, exclusively. Also, you don't need to worry about the security of your data with Enpass. We are very committed towards the performance of Enpass and takes any issue very seriously and so far, due to offline nature of Enpass no such security flaw has been encountered in Enpass. One thing we can assure you is our commitment and support for Enpass. So please check and let us know if you're behind any firewall or proxy, so that we can help you in resolving the connection problem. As always, with affection Cheers!
  11. Password generator open source?

    Hi, guys! Thanks for writing in. This year we have plans to refactor Enpass, and we are also considering to open source few components (those which do not conflict our business interests) including the password generator. Cheers!
  12. Hi, Sorry for the inconvenience guys! The issue comes when Enpass doesn't prompt you to save the password in keychain at the time it is created by Enpass password generator (Not happens with all the websites). But fortunately, there is a feature in password generator as Password history which shows you the last couple of password generated or used along with the domain name. Meanwhile, we fix this issue, please bear with us. Thanks!
  13. Hey @Phylum, Seems you are using WebDAV/ownCloud for syncing data . Enpass lets you enable sync at the same time while restoring for all the cloud services including WebDAV/ownCloud on iOS and Android and the same will be added to UWP and Desktop versions in any of coming versions. Every single suggestion by a user is a push for us to make Enpass better. Keep suggesting!
  14. Thanks for your inputs @Phylum Enpass doesn't take multiple backups for syncing data. The latest data on the device is synced with the latest data on the cloud and then merged with the file on the device. Though in the latest release, we have introduced that option of Auto backups in the desktop versions where you can change the location also. All the popular cloud services generally keep the version history of any file and you can have a look at them by logging into your cloud service. Enpass works in the same fashion. This is something we can really look into where Enpass will check all the previous versions stored by the cloud service and will list all of them to let the user choose the backup file he wants to restore. Hope this helps!