Jump to content

Hemant Kumar

Enpass team member
  • Content Count

    149
  • Joined

  • Days Won

    26

Everything posted by Hemant Kumar

  1. Hi guys, Thanks a lot for your feedback and we really appreciate the time and efforts you have put on helping us improving Enpass. @100 Watt Walrus we have noted every finding of yours as an improvement for coming releases. We want to deliver the best to our users, and believe me, it was really a challenge for all of us to release the first stable version of Enpass 6 over Enpass v5. The new core architecture with tons of improvements in security and design is itself a behemoth, and implementing it on all platforms successfully is remarkable for all of us here. With today's release, we have achieved the first milestone and there are more to go, but we believe that we would easily achieve all of them. All we just need your continuous support and love. I promise that the changes you have suggested are very next in the list and you will find them getting incorporated in coming releases very swiftly. Thanks for your understanding! Cheers
  2. Hi all, The Enpass 6 on macOS comes with a set of premium features as mentioned on the Pricing page. Out of all these, the Touch ID was available in the V5 before. But it has nothing to do with your purchase of the iOS app. Still, the free version of mac is more powerful than v5 and doesn't restrict any of the standard features for any user (even the Multiple vaults is free). The premium features are just add-on goodies for more customization. Enpass 6 is still a free upgrade for existing mobile users and a nominal charge of $5.99 (50% off) is for the lifetime license on macOS. Quick unlock through PIN still works in the Free start date version along with the rest of the features. We really appreciate your love and support so far to make #ENPASS6 happen. ❤️ Cheers!
  3. Hi guys! The Store version and Website version are exactly the same things. Just want to understand why you don't want to use Store version. Distributing the in-app purchases through Stores is a Win-Win for both of us as we don't have to manage the purchases from our end, and you don't have to sign up with us to keep using Enpass, anonymously. Cheers!
  4. Hi all! Sorry for being quite for a long time. I really appreciate your patience and love for Enpass. Finally, the audited Enpass 6 is here as promised. https://www.enpass.io/introducing-enpass-6-crafted-with-the-spirit-of-himalayas/ Here you can find the security audit report. Soon we will cover the more platforms. Cheers!
  5. We are on it and the audit will start with the final Betas of Enpass. We assure you that the final release in the market will be duly audited. Thanks a lot for your patience and understanding.
  6. Hey guys, We understand that security audit of Enpass has grown significant mass and holds the first priority for all of us. The frequency of comments on this post has become an occasional topic of conversation here pushing us to deliver the beta of Enpass 6 as soon as possible. As I mentioned previously, the best way to audit Enpass would be for the new architecture only because doing it for the current version shall all be in vain. No excuse that we are late in releasing the Enpass 6 but that was due to some unavoidable issues and feature updates. Your best wishes for good luck are what we need always but nothing is more painful than parting from you. All I can say at the moment is to please wait for some more time as the New avatar of Enpass is on the way. Thanks a lot for your understanding!
  7. Hi @Vincent Thanks a lot for your time and efforts for a delineated feedback. There is no point in getting offended by your post though I really appreciate that. Security of data is the utmost priority for us and what I meant with my statement was that if the OS is compromised, there is less left for a password manager to protect the user's data from malware, key-loggers which can together steal both the master password and data. I also agree with you for having the maximum added protection. The rewriting of the core is something which is required not only for the purpose of security (though this is the major reason) but also to add more functionalities with best possible UX to support multiple vaults and other most-in-demand features. By rewriting, I didn't mean ditching the used open source technologies rather I meant restructuring the architecture and the way of interaction between UI and SQLCipher. The development of new core has already been done considering all the security aspects; memory encryption and storage in memory, and we are now working on implementing it across the platforms. I agree that the release has been delayed but we are on it. We have also considered Security Audit by third party and I assure that you will definitely like the improvements and the design. This is all I can say for now. Cheers!
  8. Spectre and Meltdown are the recently disclosed, critical processor flaws affecting the security of data at the very basic level of computing system. All the major operating systems and the cloud service providers are sliding in the very required updates to patch againts these flaws. Being an Enpass user, rest assured from the data point of view. If someone is able to steal your data residing on your cloud or your device it is meaningless and pure gibberish for him without your master password. The safety of your master password is the safety of your data. It is the operating system which works in conjuction with the processor and memory to protects all the apps and processes running inside it from any kind of unauthorized access by another process. So if any malware can exploit these flaws to access data of another process or memory space, there is very less for the genuine software to protect itself. The same way, it's not wrong to say that here is nothing from our side to provide in terms of fix(s). As a user of any software, and to protect your confidential data inside it, you have to be very careful to guard your system from entry of malware inside it. First thing here is to install all the necessary updates from your OS provider and make sure you install them from their trusted channels only. In the same way install the software from the default store or the provider's website only. Don't get panic and land yourselves into installtion of any malware/scareware from unauthorized sources, faking you to protect your system from any unanticipated vulnerabilities.
  9. Hello @DaLass We can understand how eagerly you must have been waiting for custom icons now and I really appreciate your patience. We really take every feature request very seriously and are working on it along with a huge list of other features, and for that we are rewriting the Enpass on all the platforms for Enpass 6. It is an immense task to do and will take some more time but we assure you that you gonna like and praise it a lot. Thanks for your understanding!!
  10. Hi @MatMaul, as soon as the Enpass is locked, the SQLCipher database gets closed and requires master password to unlock. In case of PIN, the database stays open but Enpass will restrict any GUI access and once you enter a wrong PIN the database will be closed again requiring the master password.
  11. Hi @Bill Rossum We really appreciate your time taken for these findings about Enpass. We certainly do clear memory where ever it is possible but we can't clear the memory of objects we do not own, i.e. objects created internally by other libraries those Enpass is using and being displayed to you by HxD, mainly: 1. SQLCipher -> Result of queries are not zeroed out by underlaying sqlite code, so you are seeing json littering. 2. GUI Toolkits -> Enpass heavily uses Qt framework (www.qt.io), which makes us possible to provide Enpass on Windows, Mac and Linux. We have no control over Toolkit objects internal memory allocations. This is one of the main reason why we are refactoring Enpass and writing it from scratch for next major release where the whole core is being written in C/C++ offering a greater control over memory (locking, zeroing etc) and internal objects' lifespan. And the final verdict is a password manager can't be more secure than underlaying OS. If OS is set to allow any process to peek into other process' memory, there is very little a password manager can do.  If someone can install a malware to spy your system's memory it means he has that much control over the target OS that he can circumvent every protection of any password manager, for example by installing keylogger, replacing the whole Enpass binary etc. Thanks again for putting up this discussion here.
  12. Hello guys, I truly understand concern of all you guys regarding the third party audit. But as I said in my last post that getting the third party audit done for the current architecture will no longer be useful after the next major release, supporting multiple vaults with new architecture. So please bear with us until the next major version is ready for our lovely users (under development). Thanks for your understanding!
  13. Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.
  14. Hi @bjorkblom, The already planned, Auto-type feature might be useful here.
  15. Hi @Yogi, Was fixed in ver 5.5.2.
  16. Hi @gmaddry, That means the file on cloud would be encrypted with a stronger password which user won't be able to restore on another device without providing that stronger (probably unknown, if auto generated), and this whole scenario would be very confusing for some users. The best and most secure way out is to use a strong master password. Cheers!
  17. Hi @GENO, To make Enpass more efficient for coming features, we have decided to refactor it and then will go for Third party Audit. At this moment, I can't assure you of any ETA but this is the next thing we have targeted after attachments. Cheers!
  18. Hi @ericchaffey, Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws. Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update. HTTP URL by default. In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available. Subdomain password leakage. To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites. None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them. Insecure credential storage in app's private folder. Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. Read Private Data From App folder. We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder. Once again, I thank you for writing to us with your doubts and I hope this helps. Cheers!
  19. Hello @EasilyAmused, Thanks a lot for loving Enpass and sharing your experience. Sharing of fields among various items is indeed a good feature and can really save a lot of time when you have to keep multiple items with same credentials like various Microsoft and Google services accounts or there could be various bank accounts having multiple debit cards but same login credentials. We have noted it in our roadmap to introduce in any of future versions. In fact, all they belong to same account, so for now in Enpass you can create a single item with multiple URL fields (one for each service), with a must-have field with login URL for autofilling i.e accounts.google.com for Google services as login to all their services is done through same page. Keep using Enpass with all your suggestions and feedback to help us in overall improvement of Enpass. Cheers!
  20. Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!
  21. Hi @7Bit Thanks for writing in. Sorry for misunderstanding. I was talking the general cause which we have observed with many users where we found that Antivirus was blocking the connection silently. Though there was also an issue where extension shows connection error, but only when Enpass App started after the error had been displayed and Enpass App hadn't come to foreground. We have fixed this issue here and release of this update for extensions is due soon. Just to make sure, I would like to ask if Enpass App is running in background the moment when you try to autofill. May be you would have hit the close button of main Enpass Window quitting the App and thus losing the connection between extension and App. If this is so, Enpass is working as expected because the main App must be running always to let browser extension autofill. In that case, there is an option in Enpass settings to keep it running in background by minimizing it to system tray. Also you can set Enpass to auto run on system startup so that you don't have to manually start it every time the system starts. But if you're doing it with main Enpass app running and still facing the issues then there could be some deep lying bug for which we need to investigate on higher priorities. And in that case we might need your help with some queries to reproduce the issue here in our lab as we are unable to produce it here on systems with Windows 10 and AVG. Thanks for your co-operation!
  22. Hi @Essex I can understand the inconvenience caused to you while connecting Enpass with Chrome browser. The thread where you posted has been merged here, discussing the same issue. The connection issue with browser (in some systems) may be because of the architecture of Enpass, and in that case it can't be considered as bug in Enpass but the issue could be due to configuration of Antivirus, Firewall or Proxy in user's system. Actually, being an offline password manager, Enpass works differently than the online PMs where their extension communicates directly with their servers through internet while the Enpass extension communicates with main Enpass App locally through web sockets over localhost (without your data actually sent outside through internet). And, generally Enpass extension successfully connects with the main App, but in some systems the configuration of Firewall, Antivirus or proxy might block or interrupt the communication and user has to grant access to that connection, exclusively. Also, you don't need to worry about the security of your data with Enpass. We are very committed towards the performance of Enpass and takes any issue very seriously and so far, due to offline nature of Enpass no such security flaw has been encountered in Enpass. One thing we can assure you is our commitment and support for Enpass. So please check and let us know if you're behind any firewall or proxy, so that we can help you in resolving the connection problem. As always, with affection Cheers!
  23. Hi, guys! Thanks for writing in. This year we have plans to refactor Enpass, and we are also considering to open source few components (those which do not conflict our business interests) including the password generator. Cheers!
  24. Hi, Sorry for the inconvenience guys! The issue comes when Enpass doesn't prompt you to save the password in keychain at the time it is created by Enpass password generator (Not happens with all the websites). But fortunately, there is a feature in password generator as Password history which shows you the last couple of password generated or used along with the domain name. Meanwhile, we fix this issue, please bear with us. Thanks!
  25. Hey @Phylum, Seems you are using WebDAV/ownCloud for syncing data . Enpass lets you enable sync at the same time while restoring for all the cloud services including WebDAV/ownCloud on iOS and Android and the same will be added to UWP and Desktop versions in any of coming versions. Every single suggestion by a user is a push for us to make Enpass better. Keep suggesting!
×
×
  • Create New...