Hemant Kumar

Hi @Mark

Thanks for posting your query on our Forums. From a consumer point of view, we do respect your concern about security.

17 hours ago, Mark said:

"Security of our data is your utmost priority."

 Yes. it's true.

On 9/2/2016 at 4:59 AM, Gili said:

Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product?

1

We also thought of getting a third party audit of Enpass but eventually had to drop this idea for some time (so far). All this because Enpass supports so many platforms with a high frequency of updates (all together) and it is not possible for us to get every update audited because every successive update will invalidate the last audit done. Also getting the source code audited is very hefty in terms of time and expense.

I hope that helps answer your question.

Thanks @kent1986 for showing interest in Enpass. We are really very delighted to have feature requests from users and we are committed to add them at the earliest. 

I can not confirm you any ETA and would say that multiple vaults is in top-priority list of ours and we will start working on it after the release of attachment support & Enpass for Chromebook (very very soon). We will keep you guys updated with progress.

Thanks for your love and understanding.

Hi all,

Its Diwali festival here in India and we are not working till Nov 1.

Please keep posting your queries and we will get back on Forums and support through Emails on Nov 2. 

With Love
Enpass team

Hello @Jaspreet Singh,

Thanks for sharing your thoughts and writing in. At the moment we don't have plans to open source code of Enpass.

We do keep discussing about the Enterprise edition and various possible scenarios for that (online vs offline) and it would be great for us to have your inputs on the same as a user.

Cheers!

Hello @BBKING,

Thanks a lot for your time in providing enough details for diagnosing the issue. We tested it here and found that the problem comes with the Licensing API while starting Enpass. This happens because of unstable internet connection or no connection leading to failure in validating License of App using Windows Licensing API. And once your License gets invalidated, Windows Licensing API keep crashing followed by crashing of Enpass itself, until the phone is rebooted.

We are introducing a workaround for this (at our end) which will most probably be available in next update. Please bear with us.

On 6 August 2016 at 2:07 PM, BBKING said:

-- 6hrs after first time logging in the app.

Does it happen daily (at least once) and do you think that there might be problem with internet at that time?

Cheers!

Hello @jidar,

Thanks for writing in and we are sorry for the inconvenience caused. We have noted the issue of TOTP fields not being imported properly and will try to fix it as soon as possible in any of coming releases.

Please bear with us and thanks for your cooperation.

Cheers!

Hello @diego.narducci88,

Sorry for not being able to understand the Google translated text clearly.

On 3 August 2016 at 2:50 AM, diego.narducci88 said:

ould also tert option in a single vault have various levels of access with priorities as a password for read-only , etc ... also multiple vaults on a single file , also a unique password to add entries

But as far as I can understand is that you are suggesting to set permission levels on Enpass database  where every level of permission will be protected by a unique password. This is something that we haven't planned for yet.

On 3 August 2016 at 2:50 AM, diego.narducci88 said:

poir example , I use enpass with browser addon to add new entries but every time I add a new entry I have to retype the password

If you mean that Enpass being locked after a particular period of time and you have to enter master password very frequently (while using the system), you can control this behavior in better way by setting the lock time based on system inactivity rather than Enpass's inactivity. More at https://www.enpass.io/docs/desktop-windows/security.html#lock-when-system-is-idle

Hope this helps!

Hi @spinedoc777,

Thanks for being a courageous member of our beta team . At the moment the stable version is the latest available build and we don't have any active Beta version on store.

Cheers!

Hi guys,

As we have mentioned in our blog-post that Edge browser extension will not be part of stable releases. We will keep the beta-stream of Traditional Windows as updated as stable stream with an additional, most in-demand feature: Edge Browser extension. The newly released Enpass Beta 5.3.1 is similar to stable Enpass 5.3.0. You can download the Edge supported Beta version from here and Edge extension from here & follow the steps mentioned in readme.txt . Before using the beta version, you should be aware of risks involved by:

Disabling isolation of Edge browser: To strike down the Issue of Microsoft Edge browser (where being a UWP App, it doesn't allow any other App to connect to it on same machine through loopback), we have to disable the network isolation of Edge using the following command.

CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

Format of Websocket origin: When edge extension connects to Enpass app via websocket, the websocket origin set by Edge is in somewhat a non-standard format https://EnpassPasswordManager_nt7fcssrybz1j:0. Ideally it should be

ms-browser-extension://EnpassPasswordManager_nt7fcssrybz1j:0

Being in the https protocol format, it might lead an attacker to run an attack site on a machine that resolves to our extension ID by DNS spoofing and installing its self-signed root certificate authority on your computer. If a request come from Edge browser runing that attack site will look like an authentic request to Enpass. If you PC is already in so much control of a bad guy that he can install self signed root certificate and run a site on your machine (which requires administrator permission), you are already at potential risk. Although it is not so easy for anyone in a control environment, but as a user of Enpass, we want you to be aware of this issue.

Keep using Enpass and stay secure!

Hi @sxc4567,

Thanks for writing in.

3 hours ago, sxc4567 said:

• What's the "Portable" version of Enpass?

The coming Portable version of Enpass will be direct executable of full fledged Enpass (needs no installation) from a USB key. You would be able to keep executable of all platforms in the single USB pendrive and can plug it on any system (Windows, Mac and Linux). Though for Linux you would require to create an extra partition on pen-drive as extended file system. All the development work has been done and soon we will release a beta version for beta program subscribers.

4 hours ago, sxc4567 said:

Will multiple DB support extend across platforms, to include synchronisation eg: Linux & iOS?

Yes, users would be able to sync across devices using all supported clouds. 

If you have more queries, please feel free to discuss.

Cheers!

Hello @rk

Thanks for your message! At the moment we are in a state where it would be very confusing to provide an open roadmap due to lot of features being worked on simultaneously on all platforms.

We are ready with the Portable version of Enpass in which user has to choose a database (analogous to vault) at the start and this way it can be used as a multiple vault. We will soon release a Beta version of it.

Thanks for your patience and understanding.

Hello @MisterT,

I am extremely sorry for the trouble you're guys are facing with Enpass.

I sent a couple of Debug versions to @Tadly and by analyzing the logs and stack trace shared by him (Thanks dude!) we were able to diagnose the cause, which was due to a bug in QT's network manager as mentioned in 

Actually the QNAM doesn't notify OS about the proper state of network (availability), which cause Enpass to keep looking for WebDAV device to get ready and increases CPU usage. In the debug version, we fixed the issue of high CPU usage but the problem got more basic (you can say transparent) with the network issue when Enpass stopped syncing due to network being unreachable (Qt's Network manager). 

One possible workaround is to use the Folder Sync instead through which you can sync with your WebDAV folder by mounting that into local system.

We are trying to find workarounds for this issue but would be a relief if there is any fix from Qt.

Will keep you guys posted here with the progress. Always in my mind, Cheers!
Hemant

 

Hi @Daniel-san,

Thanks for your message. I really appreciate your awareness about the security of your data.

In one sentence, I can say that Enpass is not at all affected with this issue.

5 hours ago, Daniel-san said:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

This link states how the passwords from Lastpass were revealed to unknown websites due to logical bug in using regular expressions, while in Enpass we have used proper function provided in SDK to extract the hostname from URL.

QString QUrl::host(ComponentFormattingOptions options = FullyDecoded);

When you visit any webpage with the URL say http://www.example.com/login/, and click the Enpass extension icon or press the shortcut key for autofilling, the whole URL is passed to main Desktop App which by using the above function extracts the hostname as www.example.com, from which the domain name would be further extracted as example.com. Now the main Enpass App finds the all matching items for example.com and transmits its icon, Title and subtitle to Enpass-Helper (part of Enpass App and not extension). Enpass-Helper display this information to user and waits for user to select the item for autofilling. (This step is bypassed if the user has requested autofill using shortcut key and only single item exists matching for that domain). Upon selection, the information of selected item is passed from Enpass-Helper to Enpass app which further supplies the username and password to Enpass browser extension. All this communication is secure and happens on localhost about which you can read more here in our user manual.

As you can see that most of the work is done in Enpass App itself rather than the extension and we keep updating our desktop App on regular basis, so you can confidently use Enpass and its browser extensions.

If you still have any doubts, please feel free to share with us.

Cheers and have fun with Enpass!

Hemant

Hi @Tadly

Thanks for trying Beta and your feedback. We have released another beta version 5.2.4 with fixes for sync issue.

On 11 July 2016 at 1:20 PM, Tadly said:

To fix it I had to create the following symlinks within /opt/Enpass/lib:

• libcrypto.so -> libcrypto.so.1.0.0
• libssl.so -> libssl.so.1.0.0

I remember this (or something similar) being the case some time ago so I was wondering if you guys
could include those symlinks within the build.

Symlinks are now there in new beta version. 

On 11 July 2016 at 1:20 PM, Tadly said:

And there's the CPU load again
Took ~1 hour until Enpass run at 100% again.

Unfortunately we are unable to produce this issue and have tested for it in different scenarios. If possible, can you try a debug version through gdb so that we can have the culprit function name (at least, something to start with). If you wish, you can try that with some sample data first (with all features enabled).

Cheers!

Hi @fnkr,

We would love to increase the number of PBKDF2 iterations, but the slow speed of some of supported platforms (Windows Phone and BlackBerry) restricted us to come with the optimum value of 24K.

We will look forward for it in future as the faster devices are coming in market.

Thinking of more security always!

Hi @JT

So sorry to keep you on wait. The portable version is almost ready and its beta version will follow the next stable release of desktop. Until then please bear with us.

Smiles,

Hi guys,

Sorry to keep you on wait for so long. We have released a Beta version with some new features, improvements and fixes including one for this high CPU usage issue. For complete change-log and download links, have a look at

The issue was due to a nasty bug in Qt's network manager (though they claim to have fixed it but its still there in Qt) which was not giving exact state of network after the system was woke up from sleep-mode. In this beta version it has been fixed using a workaround. Some other software like ownCloud were also affected and they also managed to fix it through some workaround. 

Please try it and let us know about the behavior of CPU after you wake up the PC from sleep.

Cheerio!

15 hours ago, JohnF said:

I downloaded and installed the extension as per the instructions without issue. When I hit the Enpass button next to the "..." I get an Enpass connection error indicating I might have not done one of the steps. I've checked all of the settings and ran "CheckNetIsolation LoopbackExempt -s" to ensure "microsoft.microsoftedge_8wekyb3d8bbwe" is listed.

Hi @JohnF,

Thanks for tring the Beta. Have you checked both Enable Browser Extensions and Support for Microsoft Edge in Browser settings of Enpass. More at 

https://www.enpass.io/docs/desktop-windows/browser_ext_install.html#swbrowsers

Please let us know if your problem get resolved.

Regards

Hemant

Hi @threadstone,  

Thanks for checking out Enpass and your message. 

Initially, the Enpass was launched as a Pro-app with separate trial version, but to remove the hassle of dealing with two version of same app at the same time, we switched to in-app purchases, and users liked that move. 
I also like the concept of Family sharing of paid apps, but to support that we can't convert a free Enpass App into paid app ( as per Google policy) and can’t move the existing in-app purchases (of existing users) to new App. So we have to stick with in-app purchase and users looking for family sharing for in-app purchases have to wait until the Google supports that.

Cheers!

Hello @Craig,

I am really very sorry for not being able to fulfill your request of fixing the unsteady behavior of entering Master password if your system is set to sleep. Actually, we forcefully lock the Enpass when the system went to idle state just for the sake of security. But we have noted down your request of improving the autolock behavior in case of system sleep and will definitely add it in coming versions. At this moment we are really overloaded with some awesome features in desktop and other mobile platforms and I believe you'll like them. So we will improve this in mid of any of the features but can't assure you any ETA now.

It will be really sad for us to see you go and I request you to please bear with us for some time.

Cheers!

Hi @renz

Thanks a lot for loving the Android version. Its your love that keeps us motivated  to always do the best.

We are almost ready with the portable version (better called cross-platform cum portable version in same USB stick). We will soon be rolling out the beta version and to get your hands on it, please join the Beta program for the platforms, you're interested in. You gonna love it.

Cheers!

Hello!

It is really a moment of pride for us to see you here looking for joining us as a Beta tester. We really appreciate your interest to help us improving Enpass.

We release beta builds of Enpass when there are some significant changes testing of which can help us fix any issues in them before they are officially released. Beta subscribers of Enpass get them as normal update on Google Play Store and if you're not a beta subscriber, you can become one from the Enpass page on Google Play Store on the Android device. Just scroll down to the bottom and you'll see an option to Becoming a beta tester. 

Alternatively you can directly access it here.

Thank you for your time and consideration!

Hi folks!

The new Android Beta 5.1.8 is now available on Play store with the following change-log. 

1. Added Localization for all the changes since last stable release. 
2. Upgraded to new Box cloud SDK. Box users have to re-enable sync. 
3. Color-coded passwords in password history. 
4. Only Enpass database (not settings) will considered in backup by Google for App backup. 
5. Option to cancel unlock using Fingerprint on Extended Keyboard. 
6. Option to exclude symbols from password generator has been temporarily withdrawn. We'll consider it again in better way. 

Please report all the bugs and issues here and we will fix them in the next stable release.

Hi @cutalion

Thanks for your question here on Enpass Forums. We are really happy to see your concerns about the security of your data. 

Yes, Enpass is not an open source software because of the nature of our business. 

First things first, its the security of your data. Instead of our own proprietary code for Cryptography, we have moved to SQLCipher (which is an open source Cryptography Engine) and is being used in worldwide. You can read more about security-in-enpass here. 

Being an offline software, your data is never stored on our servers and never leavs your system in unprotected way. You can verify this by using network sniffers on your device.

For more you can go through our Security FAQs here https://www.enpass.io/kb/mac-os-x/

Cheers!

Hi Guys,

Sorry for the trouble and keeping you on wait for so long time.  We have fixed the issue with WebDAV sync that was causing the high CPU usage along with some issues in memory consumption. We will release an update.

Thanks for your understanding!

Cheers!