Search the Community

Hi there, I'm a long time user, and generally a big fan of Enpass across my devices. I recently updated the certificate on my Webdav instance and hit sync on my devices, and no notification was given on this change. Given the nature of Enpass, I believe at minimum a notification should come up advising the certificate has changed and requesting a confirmation of trust. Some sort of certificate pinning solution would also work. I use Let's Encrypt, so this would be inconvenient to me (given it updates every 3 months or so), however I feel the security/convenience trade off is fine. Thanks

Hi, I would like to propose the following feature: As a security conscious user who also values convenience I would like to be able to: for N minutes after unlocking the app with my passcode unlock the app again using touch ID This way I would achieve the following goals: Enpass would never be left fully unlocked (i.e. changing into the app via multitasking, activity or tapping the icon should never lead into an unlocked app) Enpass would still regularly require the full passphrase Touch ID would be used as a convenient temporary unlock Thereby, in my opinion, providing a good trade-off between convenience and security. Let's not forget: A fingerprint is a username, not a password.

How can I remove my profile from this forum software? I have no intention of using enpass, and I do not want to maintain an account here.

Hello, Here is a proposal to enhance security mainly for cloud/webdav users but not only : The goal of 2FA is to have two different things to use for authentication (basicaly something we know, something we have, ect...) As such, I feel that storing 2FA and passwords in the same storage renders 2FA completely useless. Wouldn't it be better if it was possible to split passwords and 2FA data in different files in a different location ? or even having two different apps. I've given some though about this and off course, I think any developer would agree this should be even in completely different applications. One could say we can use Google Authenticator or Microsoft authenticator or another for this however these applications does not sync with cloud/webdav and can be only used on a single device which I think is greatly ridiculous if you were to lose or break the device holding the application. And we can't have a two instances of Enpass on every device either... This is just a proposal but this would be a nice add. Thanks for listening

Hi there, i start using Enpass and its great, but found some shortcoming here and there, so willing to give feedback. 1. Copied data through browser extension ( chrome extension) does not auto clear as it works inside Enpass main desktop application. 2. While generating a new password, there is one option only i.e. "Fill and copy" and as is said in my first point, data don't get auto cleared, so its a problem, as you know clipboard is not a safe place for sensitive data. I don't prefer copy-paste data when we are dealing with sensitive data. Instead of this, there should be a "Fill only" option to inject password directly without using clipboard and this will be more secure as compare to current approach. Frankly speaking, I like Lastpass approach at this point. Data filled without copying to clipboard and Lastpass even eliminate the need of copying old password manually while changing password where u need to put your old password (Enpass do need copying old password manually while changing passwords like facebook which need old passwords for changing but that's acceptable to some degree, after all, its an old password). This don't mean that am here to promote Lastpass here, Lastpass is not most perfect itself. Even i use Enpass over Lastpass because i like Enpass more than that. But looking at goods of other is not a bad habit as it help us to improve. I really hoping that these points will be considerable in future update. Thanks, Have a nice day.

Hi everyone, on Enpass 5.5.6 (Linux) I noticed that the password generator uses exactly the configured number of characters per type (i.e. digits, uppers, symbols) and I found no way to specify an "At least #" logic. For example, using the default configuration the 18-chars password always has 3 digits, 5 uppers, 5 symbols (and 5 lowers, even if not stated), whereas I want it to have a minimum of 1 character per type, as required by most password policies out there. I would even deem this default configuration a security bug because by greatly reducing the cardinality of the password space you gives an obstinate cracker a sensible advantage. Is there a way to enable the "At least #" logic? May we expect a more robust password generator in the upcoming release?

I've just found enpass and love it, it's a first class app. One feature that I would find useful would be to remote wipe a device. Perhaps something could be stored in the shared file to force a wipe and block devices for extra security. Thanks Rich

Hi, I recently found a file named data.xml in my enpass directory. What is that for? And why the hell, it contains my email credentials in PLAINTEXT?

Just wanted to get a hint on how everybody else is using Enpass and at the same time show my setup. I use an USB-wristband for portability. I've got one layer of bitlocker using aes128 autounlock with tpm) and within that the walletx with its own aes256. Instead of the Enpass Portable I've got Enpass desktop installed on my three PCs pointing to an USB drive. That way I split up meta settings for Enpass in the registry and vault on a removable drive. Also when frequently synchronizing, the performance is better when executables that aren't secret reside on a local drive. I use cloud sync, so local backup isn't necessary. I only mount the USB stick and vault when required, and never run Enpass in the background. Critical secrets like Google or Microsoft are not stored in the vault, only their TOTP.

Hello, I have a suggestion for Enpass that increases the security of passwords and alerts the user when a website was hacked and a password change is recommended. The password manager 1Password has a feature called watchtower. They have a internal database of security breaches (the site was hacked and user data was stolen) and check if the password of the specified website was changed after the breach. So they have two modification dates: one modification date of the password itself and one for the total entry. Example: The password entry for a page was last changed today, but the password itself was changed 2 years ago. When there was a breach for this website 6 months ago, then 1Password would alert the user and recommend a password change. For the password manager KeePass there was a new plugin released today, called HaveIBeenPwned. This plugin downloads the public breach lists form "'have i been pwned?" and from "Cloudbleed Checker" The website of the plugin is https://github.com/andrew-schofield/keepass2-haveibeenpwned Suggestion: I suggest that you add also such a feature in Enpass. In my opinion it is OK if you use the public lists (like the KeePass Plugin). So Add in the "Password Audit" two new entries for these services and check all password entries. It is up to you if you implement a separate modification date of the password. Regards OLLI

I recently came across this article: Password managers: attacks and defenses -- FEBRUARY 6, 2017 found here: https://blog.acolyer.org/2017/02/06/password-managers-attacks-and-defenses/. It describes common password attacks on password managers, mostly surrounding "autofill." For example, "The evil coffee shop attacker," "Sweep attacks," "Injection," and so forth. It lists several password managers like the big browsers (Chrome, Safari, etc.), Lastpass, 1Password, etc. It does not mention enpass. I would like to know if these types of autofill security concerns have been investigated and addressed in enpass. Thank you.

Hi, I set up Enpass using WebDAV authentication, and that seems to work fine. However, I am currently trying to configure it for my iPhone as well, but this fails. On the iPhone, the Enpass app gives the error "Authorization failed" even with the correct URL, username and password. my server logs give the following details: Enpass on iPhone: [error] Digest: client used wrong authentication scheme `Basic': /webdav/enpass/ As you probably know HTTP supports both Basic and Digest authentication. Basic is unencryted, Digest uses a hash. So it seems that the MacOS version does support both Basic and Digest authentication, but the iPhone version only Basic authentication. I will configure my server to allow Basic authentication. While Basic authentication does not encrypt passwords, it is fine, as long at HTTPS is used (if HTTP would be used, the password would be send in plain text on the Internet). Now I have three suggestions for improvement: Support HTTP Digest WebDAV authentication on iOS. I assume all libraries support both (the Digest protocol was published 1999, the Basic protocol is even older) Only support HTTPS protocol, not HTTP (in case that is not already the case). Alternatively, if you prefer to still support HTTP, ensure Digest encryption is used. Let the user explicitly choose the authentication scheme: Digest, Basic, or Digest with Basic as fall-back.

An interesting and important question that was already raised, but not yet answered, in another thread: Is Enpass' built-in password generator part of SQLCipher or otherwise (if yes, how so?) open source and therefore trustworthy? I currently feel no need to demand to make the whole application open source as long as the security-relevant parts are. But the password generator is one of these and therefore a reassuring answer would be nice. If it's not open source, what are the plans in that regard? If it is, I think you should advertise that on your website, too.

I started using Enpass yesterday and so far I absolutely love it. Only one thing surprised me so far: when I lock the screen in Ubuntu 16.04 (CTRL + ALT + L), Enpass will stay unlocked. I find it impractical to lock Enpass separately. I'd like Enpass to lock itself when the system is locked. Or at least I'd like to have a setting for this. Thanks for consideration!

I exported 500+ RoboForm entries to a html file. I imported them to Enpass. Security in Enpass is set to obscure passwords. Instead, they are all visible. True for Desktop, Win10, and Windows Phone 8.1

Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. Have you considered this decreased level of security? I know using OTP in Enpass is optional and the chance of someone obtaining and cracking the SQL database is low, but still the principle of two-factor authentication is thrown out the window by storing both your password and OTP in one place.