Jump to content
Enpass Discussion Forum


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Fabian1

  1. Fabian1

    remove keyfile

    Yes, thanks - this is working.
  2. I really like enpass so much! But there is a fundamental security problem with the biometric unlock. face-id and fingerprint are not safe. you can hold someone's device in front of his face. or you press his finger on the device. We also leave fingerprints everywhere. They are even stored in many ID cards. this is a fundamental problem to unlock smartphones in this way and not a probem of enpass itself. but enpass should be more secure. its a pitty, that you need only seconds to overcoming the biometric unlock and all passwords are open! Enpass could become much safer with two very simple changes: 1. PIN & Biometric unlock at the same time. Please change the Enpass app so that the PIN and the biometric unlock are possible at the same time. Then a very short PIN could provide much more security. I would use a three-digit PIN and set the number of failed attempts to 1. After a single wrong entry, the master password must be entered. An attacker who overcomes the biometric unlock would thus only have a 1: 1000 chance. At the same time, the use of enpass remains very comfortable. 2. We urgently need a time-out for the biometric unlock. As in the desktop version, after a certain time (1 day) or when the device was restarted, the master password should always be queried. So it does 1Password - why not Enpass? It prevents attackers, who has captured the device from having all the time in the world to overcome the biometric unlock. Please implement this very simple features. You can set it by default to „only biometric unlock“ (without a pin at the same time) and set the biometric unlock timeout to „never“. So there will be no less comfort for people, that dont need higher security. kind regards Fabian
  3. Fabian1

    remove keyfile

    I can not remove the keyfile form a multi vault. there is no option do delete the keyfile on the "change password" section, as it is described in the manual.
  4. I think, solve this problem is VERY EASY: just implement at button in enpass „sync now“. so the user can choose: syncing anytime at the background or only syncing at manual request.
  5. I agree. The URL of some entrys in my vault is confidential. I dont want, that you at enpass knows all my server-domains...
  6. You can create a travel mode yourself: Keep all important information only in an extra vault. The default vault contains nothing (or just passwords that you want to share with the border official ;-)) The extra vault should have a different password than your default vault. Do not store this password in your default vault (or delete it before traveling). Only this extra vault is synchronized with the cloud. Best with an anonymous webdav server, that can not be associated with you. The iCloud is not so good because it's tied to the Apple ID, that you can look up in the phone, so the border guard might ask for the Apple ID password, searching and finding your extra vault there and will ask for this password too. Also on all other devices (desktops, pads, telephones, etc.): the standard vault contains only a few unimportant passwords or remains completely empty. All devices synchronize the important data via cloud with the extra vault. If a device is to be taken over the border, then the extra vault and the sync with the cloud must be deleted. Only the standard vault - containing only unimportant passwords or fakes - remains on the device. After successful border crossing, the sync to the extra vault on the (secret) webdav server can be restored and the extra vault restored to the device. By the way, there is a big security advantage to synchronize all data only via an additional vault: The extra vault can be protected by a very complex password! It rarely needs to be entered, for example only after a border passage, when the sync is reestablished. A complex password protects the data, if the extra vault in the cloud should fall into the wrong hands. On the local device the password for the standard vault will also open the extra vault (unless it has just been deleted because of a border passage). The password for the default vault could be easier to type, because it is needed more frequently. And you can use different passwords for the default vault on any device. Some passwords easy to type on a desktop-pc are very unconfortable on a small iphone for example
  7. another desirable change would be: the use of PIN and Biometric Unlock at the same time. That makes sense in the two-factor security philosophy: PIN - something you know. Finger or face - something you have. Biometric features alone are not safe, because unlocking can be done against the will of the user. For example, a border official would only have hold the iPhone in front of your face to unlock. And fingerprints are often stored on the border anyway. The combination of PIN and Biometric Unlock would also make very short PINs possible, maybe only two or three digits. That would be very comfortable. And ih would be very safe, because someone who looked over the shoulder while unlocking, could not do anything with it, because he lacks the biometric part.
  8. Dear Enpass Team, do you plan an audit for ios? Best regards.
  9. The same goes for me. 1Password requires the master password after restarting the iPhone. The biologic unlock is not possible. With Enpass the Unlock is possible directly after the restart by fingerprint. That's not good and incomprehensible. Turning off the phone should always be a kind of a emergency stop. For example, many people turn off their phones at the border. With a switched off phone, a potential attacker has all the time in the world to think about how to crack it. Hackers have already demonstrated, that it is possible to take the fingerprint of a person from a coffee cup, make a copy an trick the iphone. Dear Enpass Team, please change. There is no reason that PIN and fingerprint remain even after a reboot. In addition, we would like to be able to set a timeout after which the master password is also retrieved. What exactly is so difficult about that?
  10. 1Password will delete the masterpassword. there is a timeout. even, if you turn off your phone, you have enter the masterpassword again. why this is a problem for enpass?
  11. The doubt left is: There is still no audit of you iOS and MacOS App... ...we are waiting 3 years now!
  12. Me too. And where is the audit for iOS and MacOS?
  13. Dear Vinod, Thank you very much for the very precise answer. That was exactly what I wanted to know. 1. PIN use (or old iPhone) = security risk, if the iOS keychain is broken 2. Biometric-Unlock + Secure Enclave = may still be considered secure, no indication of compromise of the Secure Enclave 3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone? Do you store the clear text masterpassword in process memory of the kernel? Thx again & kind regard Fabian
  14. Nobody really knows if all the safety of Enpass was endangered?
  15. Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more?
  • Create New...