Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Fabian1

  1. Fabian1

    Security audit

    Still no answer to this very important question. Not a good sign to trust.
  2. That is the point. I want to decide as a customer if and when to buy a new version (for example with new features). Subscription models hinder the development of the software. The developers do not have to win the customers again. You can see that in Adobe & Co. - since there subscription models were introduced, the software is only managed. Innovations take place elsewhere. Even though I now get a free lifelong access, I can not recommend Enpass anymore. What will it cost in the future? At least $ 1 a month - probably more. Future customers pay in one year, which had to be paid once. Before I discovered Enpass, I used 1Password for 10 years - and bought three new versions - also for my family. That cost a total of $ 150. With the new subscription model I would pay in this time $ 360 or even $ 600 (for a family account). And it's "only" a password safe. A relatively manageable piece of software. I have dozens of other programs on the smartphone and PC. If everyone wants $ 5 a month, that's more than $ 1,000 a year. Subscription models are money robbers. Dear Enpass Team, I would prefer that I have no free, lifelong access and instead Enpass would have a one-time purchase - even though you would have to pay more for new versions. You break your word! See it here - still on your website:
  3. Fabian1


    I have some "ghost"-fields in some items. there a sections and orders of fields shown, and when try to edit, they will disapear in edit mode, but stay in view mode...
  4. Fabian1

    remove keyfile

    Yes, thanks - this is working.
  5. I really like enpass so much! But there is a fundamental security problem with the biometric unlock. face-id and fingerprint are not safe. you can hold someone's device in front of his face. or you press his finger on the device. We also leave fingerprints everywhere. They are even stored in many ID cards. this is a fundamental problem to unlock smartphones in this way and not a probem of enpass itself. but enpass should be more secure. its a pitty, that you need only seconds to overcoming the biometric unlock and all passwords are open! Enpass could become much safer with two very simple changes: 1. PIN & Biometric unlock at the same time. Please change the Enpass app so that the PIN and the biometric unlock are possible at the same time. Then a very short PIN could provide much more security. I would use a three-digit PIN and set the number of failed attempts to 1. After a single wrong entry, the master password must be entered. An attacker who overcomes the biometric unlock would thus only have a 1: 1000 chance. At the same time, the use of enpass remains very comfortable. 2. We urgently need a time-out for the biometric unlock. As in the desktop version, after a certain time (1 day) or when the device was restarted, the master password should always be queried. So it does 1Password - why not Enpass? It prevents attackers, who has captured the device from having all the time in the world to overcome the biometric unlock. Please implement this very simple features. You can set it by default to „only biometric unlock“ (without a pin at the same time) and set the biometric unlock timeout to „never“. So there will be no less comfort for people, that dont need higher security. kind regards Fabian
  6. Fabian1

    remove keyfile

    Nobody knows?
  7. Fabian1

    remove keyfile

    I can not remove the keyfile form a multi vault. there is no option do delete the keyfile on the "change password" section, as it is described in the manual.
  8. I think, solve this problem is VERY EASY: just implement at button in enpass „sync now“. so the user can choose: syncing anytime at the background or only syncing at manual request.
  9. I agree. The URL of some entrys in my vault is confidential. I dont want, that you at enpass knows all my server-domains...
  10. You can create a travel mode yourself: Keep all important information only in an extra vault. The default vault contains nothing (or just passwords that you want to share with the border official ;-)) The extra vault should have a different password than your default vault. Do not store this password in your default vault (or delete it before traveling). Only this extra vault is synchronized with the cloud. Best with an anonymous webdav server, that can not be associated with you. The iCloud is not so good because it's tied to the Apple ID, that you can look up in the phone, so the border guard might ask for the Apple ID password, searching and finding your extra vault there and will ask for this password too. Also on all other devices (desktops, pads, telephones, etc.): the standard vault contains only a few unimportant passwords or remains completely empty. All devices synchronize the important data via cloud with the extra vault. If a device is to be taken over the border, then the extra vault and the sync with the cloud must be deleted. Only the standard vault - containing only unimportant passwords or fakes - remains on the device. After successful border crossing, the sync to the extra vault on the (secret) webdav server can be restored and the extra vault restored to the device. By the way, there is a big security advantage to synchronize all data only via an additional vault: The extra vault can be protected by a very complex password! It rarely needs to be entered, for example only after a border passage, when the sync is reestablished. A complex password protects the data, if the extra vault in the cloud should fall into the wrong hands. On the local device the password for the standard vault will also open the extra vault (unless it has just been deleted because of a border passage). The password for the default vault could be easier to type, because it is needed more frequently. And you can use different passwords for the default vault on any device. Some passwords easy to type on a desktop-pc are very unconfortable on a small iphone for example
  11. another desirable change would be: the use of PIN and Biometric Unlock at the same time. That makes sense in the two-factor security philosophy: PIN - something you know. Finger or face - something you have. Biometric features alone are not safe, because unlocking can be done against the will of the user. For example, a border official would only have hold the iPhone in front of your face to unlock. And fingerprints are often stored on the border anyway. The combination of PIN and Biometric Unlock would also make very short PINs possible, maybe only two or three digits. That would be very comfortable. And ih would be very safe, because someone who looked over the shoulder while unlocking, could not do anything with it, because he lacks the biometric part.
  12. Fabian1

    Security audit

    Dear Enpass Team, do you plan an audit for ios? Best regards.
  13. The same goes for me. 1Password requires the master password after restarting the iPhone. The biologic unlock is not possible. With Enpass the Unlock is possible directly after the restart by fingerprint. That's not good and incomprehensible. Turning off the phone should always be a kind of a emergency stop. For example, many people turn off their phones at the border. With a switched off phone, a potential attacker has all the time in the world to think about how to crack it. Hackers have already demonstrated, that it is possible to take the fingerprint of a person from a coffee cup, make a copy an trick the iphone. Dear Enpass Team, please change. There is no reason that PIN and fingerprint remain even after a reboot. In addition, we would like to be able to set a timeout after which the master password is also retrieved. What exactly is so difficult about that?
  14. 1Password will delete the masterpassword. there is a timeout. even, if you turn off your phone, you have enter the masterpassword again. why this is a problem for enpass?
  15. The doubt left is: There is still no audit of you iOS and MacOS App... ...we are waiting 3 years now!
  16. Fabian1

    Security audit

    Me too. And where is the audit for iOS and MacOS?
  17. Dear Vinod, Thank you very much for the very precise answer. That was exactly what I wanted to know. 1. PIN use (or old iPhone) = security risk, if the iOS keychain is broken 2. Biometric-Unlock + Secure Enclave = may still be considered secure, no indication of compromise of the Secure Enclave 3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone? Do you store the clear text masterpassword in process memory of the kernel? Thx again & kind regard Fabian
  18. Nobody really knows if all the safety of Enpass was endangered?
  19. Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more?
  • Create New...