Jump to content

Search the Community

Showing results for tags 'security'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General discussion
    • Hot topics
    • Enpass Support & Troubleshooting
    • Autofilling and Desktop Browser Extensions
    • Data Security
    • Announcements
  • Help us improving Enpass
    • Feature requests
    • Enpass Beta
    • Localization
  • General discussion

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 26 results

  1. Hello, I am relatively new to Enpass, I noticed, that after reboot, I can use the PIN to access my fault. How can this be secure? This means that the Masterpassword is stored locally on the flash memory. This and the fact, that there have never been an security audit for iOS really worries me. Can someone explain to me, how this might possibly secure? I have a feeling, that the reason, why there is no security audit is, that they know, that there is no way there application passes the audit.
  2. Hello, I have a suggestion for Enpass that increases the security of passwords and alerts the user when a website was hacked and a password change is recommended. The password manager 1Password has a feature called watchtower. They have an internal database of security breaches (database with information about hacked websites where user-data was stolen). In this database they store the website and also the date of the breach. 1Password stores for password entries two modification dates: modification date of the password modification date of the entry 1Password checks the password entries against this database. When a website was hacked after the password was changed in 1Password, then 1Password recommends to change the password. When the password was changed after the hack of the website, then users get no notification. So when the entry for a page was last changed today (like added some notes), but the password itself was changed 2 years ago, then users get a warning when the website was hacked 2 weeks ago. For the password manager KeePass there is a plugin available called HaveIBeenPwned. The plugin and the source code are available here: https://github.com/andrew-schofield/keepass2-haveibeenpwned This plugin downloads the public breach lists form "'have i been pwned?" and from "Cloudbleed Checker". The plugin checks (on demand) your passwords against these lists. In KeePass there is no modification date of the password. To get the modification date of the password the plugin checks the history of each entry and compares the passwords (to find out the modification date of the password). Suggestion: Please add also such a feature in Enpass in the Password Audits. In my opinion it is OK if you use the public available lists from "'have i been pwned?" and from "Cloudbleed Checker" (like the KeePass Plugin). This requires that you also store the "password modification date". When you import entries from KeePass then you should also determine the password modification date of the entry. In the KeePass XML the complete history is also exported. Regards OLLI
  3. Hello, KeePass offers in the options the feature "Enter master key on secure desktop". When this option is checked then the dialog for entering the master password is shown on a secure desktop. This should prevent keyloggers from stealing the master password. Details about this feature you get here: https://keepass.info/help/kb/sec_desk.html If you want to see a screen shot of this feature, just google for "KeePass Secure Desktop" and you will find screen shots like this: (Source: https://img.raymond.cc/blog/wp-content/uploads/2016/02/secure-desktop.png) It would make Enpass more secure if you also use the Secure Desktop when entering the maser password or the PIN to unlock Enpass. This protects Enpass so the master password can not be stolen. I know that it is mostly the users fault if there is a keylogger on the system but it would be really helpful if Enpass is protected against keyloggers. Best regards OLLI
  4. I talked with a colleague about password managers and he suggested 1Password. On the website of 1Password I saw on the "Tour" site (https://1password.com/tour/) some features of 1Password. One feature is very interesting and increasing the security: They show which sites in your vault support TOTP but the user has not set up TOTP. Here is a screenshot from the 1Password site: Suggestion In Enpass add the entry "Missing TOTP" in the section "Password Audit". Here you should show all password entries, where TOTP is possible but not set up by the user. Here is a list of services that support TOTP: https://twofactorauth.org/ We had a Doxxing scandal in Germany where a young guy published many private information stolen from accounts of German politicians and German celebrities. This guy was able to steal the data because the accounts used very weak passwords (like 123456) and were not secured with TOTP. So this feature increases the security a lot!
  5. I ran across an interesting article about some other well-known password managers out there, like 1Password, KeePass, DashLane & LastPass. https://www.securityevaluators.com/casestudies/password-manager-hacking/ If that's too technical, read ZDNet's summary on this article: https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/ While I was pleased Enpass wasn't on the list, I suspect it might be due to lack of significant market share like some of the other products. But I'm also very curious about the steps Enpass is taking to have independent third-parties pen-test the product. EDIT: I should have looked harder as Enpass has been audited in November of 2018! Audit results: https://dl.enpass.io/docs/EnpassSecurityAssessmentReport.pdf Security-related documents: https://www.enpass.io/?s=security&post_type=kbe_knowledgebase Please do not misconstrue what's being said here! I moved to Enpass several years ago, from KeePass which is mentioned in the article, and I am still very pleased with Enpass. So pleased that I have purchased it for family members and and strongly urged friends & coworkers who do not have a password manager to give Enpass a shot. The number one issue I hear about these other services is where that data is stored, and Enpass provides a great solution for data management since it builds on other well-known, and mostly trusted, storage products like Google Drive, OneDrive, DropBox etc. In any event, kudos to the Enpass team for the fantastic work they've been doing over the years, especially on v6.x. It's fantastic and I'm excited about what's next!
  6. Dear Developer, Enpass is very good app but i miss some features like device administrator. For protecting app from uninstalling via other unauthorized persons.. or accidentally uninstalling... Also add fevicon as soon as possible. And add full UI change log in new updates description in google play so we can check on which area you modify UI.
  7. Hello, I read in a computer magazine that there is a new Browser Extension for Google Chrome called Password Checkup https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno When I sign into websites this extensions checks if the password that I have entered is pwned . Then a message box is shown telling me if the password was pwned (message box is red) or if my password is still safe (message box is green). I think it would be useful when Enpass also checks passwords at login. But you should only show a message when the password was pwned. Best regards OLLI
  8. Hello, I have a suggestion for Enpass that increases the security of passwords and alerts the user when a website was hacked and a password change is recommended. The password manager 1Password has a feature called watchtower. They have a internal database of security breaches (the site was hacked and user data was stolen) and check if the password of the specified website was changed after the breach. So they have two modification dates: one modification date of the password itself and one for the total entry. Example: The password entry for a page was last changed today, but the password itself was changed 2 years ago. When there was a breach for this website 6 months ago, then 1Password would alert the user and recommend a password change. For the password manager KeePass there was a new plugin released today, called HaveIBeenPwned. This plugin downloads the public breach lists form "'have i been pwned?" and from "Cloudbleed Checker" The website of the plugin is https://github.com/andrew-schofield/keepass2-haveibeenpwned Suggestion: I suggest that you add also such a feature in Enpass. In my opinion it is OK if you use the public lists (like the KeePass Plugin). So Add in the "Password Audit" two new entries for these services and check all password entries. It is up to you if you implement a separate modification date of the password. Regards OLLI
  9. Can we integrate the PC/Desktop app to use Windows Hello as a login option just as the iPhone app uses TouchiD/FaceiD? I have a laptop, iPhone, and Microsoft Surface Tablet and it would be great if the user experience could be similar across all platforms. This request was being worked on since last year and I am surprised that the MS Store App version of Enpass is NOT updated to use the Windows Hello feature since they promised to include this functionality in a newer version of the app.....! Here's the link:
  10. I've been using Enpass for a while now and i'm well satisfied as my first password manager. An aspect that concern me the the most though, is the lack of protection aganist a master password sniffing attack or leak. Basically, as i understand, if you have the master password you can decrypt the database and take all the passwords, easy, without a second factor authenticantion or somenthing similar to stop it. And since you need to manually insert the master password everytime you want to unlock Enpass, this make the job easy for a keylogger, a zero day virus, or even a random security camera watching the screen of your smarthphone. Even if you have enabled the PIN option, you still need to insert the master password at least once a day. To remedy this, many password managers such as 1Password uses a secondary password called Secret password created locally by the password manager itself that you never need to type. I don't really know how it works since i never used it, but i got a similar idea: It would be possible to use the PIN to only unlock Enpass (the application itself), and leave the master password to crypt the database? So, even if the PIN get sniffed, it could be used only on that same device / Enpass instance. By letting only Enpass itself handle the master password internally. It's only a concept obviously, but it would be nice to a have an extra layer of protection. Also, i noticed that the auto-fill uses by default the "username" and "password" fields to fill all the login screens, even those who ask you for your "email" and "password". It would be also nice if you could choose what field use to auto-fill the request data, or make Enpass automatically recognizes which field to use by reading the web page or app window.
  11. Hi there, I'm a long time user, and generally a big fan of Enpass across my devices. I recently updated the certificate on my Webdav instance and hit sync on my devices, and no notification was given on this change. Given the nature of Enpass, I believe at minimum a notification should come up advising the certificate has changed and requesting a confirmation of trust. Some sort of certificate pinning solution would also work. I use Let's Encrypt, so this would be inconvenient to me (given it updates every 3 months or so), however I feel the security/convenience trade off is fine. Thanks
  12. Hi, I would like to propose the following feature: As a security conscious user who also values convenience I would like to be able to: for N minutes after unlocking the app with my passcode unlock the app again using touch ID This way I would achieve the following goals: Enpass would never be left fully unlocked (i.e. changing into the app via multitasking, activity or tapping the icon should never lead into an unlocked app) Enpass would still regularly require the full passphrase Touch ID would be used as a convenient temporary unlock Thereby, in my opinion, providing a good trade-off between convenience and security. Let's not forget: A fingerprint is a username, not a password.
  13. How can I remove my profile from this forum software? I have no intention of using enpass, and I do not want to maintain an account here.
  14. Hello Enpass-Team, happy new year to you! I'm a very happy user of Enpass and it's perfect usability. But since some week's I'm frightened about the usage of password-managers because of the released information regarding Meltdown and Spectre (CVE-2017-575, CVE-2017-5715 and CVE-2017-5753) Especially Meltdown can lead to a dump of the Memory of Applications like Password-Managers, which are one of the most valuable targets! I know, that MicroCode-Workarounds for CPUs and OS-BugFixes are on the way, but I want to ensure, that you have implemented Enpass in a way, to minimized the possibility to extract our passwords via such vulnerabilities. Can you please give us some information, how you protect our data against such issues? For example: When do you decrypt the passwords and store it in RAM? - When the user unlocks enpass, or when the user requests one specific password? Do you decrypt always all passwords or only the one which is requested? I know you use SQLCipher as backend. Does this mean, that always the whole Database is decrypted after unlocking enpass? Please let us know some details. This is very important, especially as long as no audit of enpass exists. Thanks in advance for you detailed explanation, wachschaf
  15. Hello, Here is a proposal to enhance security mainly for cloud/webdav users but not only : The goal of 2FA is to have two different things to use for authentication (basicaly something we know, something we have, ect...) As such, I feel that storing 2FA and passwords in the same storage renders 2FA completely useless. Wouldn't it be better if it was possible to split passwords and 2FA data in different files in a different location ? or even having two different apps. I've given some though about this and off course, I think any developer would agree this should be even in completely different applications. One could say we can use Google Authenticator or Microsoft authenticator or another for this however these applications does not sync with cloud/webdav and can be only used on a single device which I think is greatly ridiculous if you were to lose or break the device holding the application. And we can't have a two instances of Enpass on every device either... This is just a proposal but this would be a nice add. Thanks for listening
  16. I've just found enpass and love it, it's a first class app. One feature that I would find useful would be to remote wipe a device. Perhaps something could be stored in the shared file to force a wipe and block devices for extra security. Thanks Rich
  17. Hi there, i start using Enpass and its great, but found some shortcoming here and there, so willing to give feedback. 1. Copied data through browser extension ( chrome extension) does not auto clear as it works inside Enpass main desktop application. 2. While generating a new password, there is one option only i.e. "Fill and copy" and as is said in my first point, data don't get auto cleared, so its a problem, as you know clipboard is not a safe place for sensitive data. I don't prefer copy-paste data when we are dealing with sensitive data. Instead of this, there should be a "Fill only" option to inject password directly without using clipboard and this will be more secure as compare to current approach. Frankly speaking, I like Lastpass approach at this point. Data filled without copying to clipboard and Lastpass even eliminate the need of copying old password manually while changing password where u need to put your old password (Enpass do need copying old password manually while changing passwords like facebook which need old passwords for changing but that's acceptable to some degree, after all, its an old password). This don't mean that am here to promote Lastpass here, Lastpass is not most perfect itself. Even i use Enpass over Lastpass because i like Enpass more than that. But looking at goods of other is not a bad habit as it help us to improve. I really hoping that these points will be considerable in future update. Thanks, Have a nice day.
  18. Hi everyone, on Enpass 5.5.6 (Linux) I noticed that the password generator uses exactly the configured number of characters per type (i.e. digits, uppers, symbols) and I found no way to specify an "At least #" logic. For example, using the default configuration the 18-chars password always has 3 digits, 5 uppers, 5 symbols (and 5 lowers, even if not stated), whereas I want it to have a minimum of 1 character per type, as required by most password policies out there. I would even deem this default configuration a security bug because by greatly reducing the cardinality of the password space you gives an obstinate cracker a sensible advantage. Is there a way to enable the "At least #" logic? May we expect a more robust password generator in the upcoming release?
  19. Hi, I recently found a file named data.xml in my enpass directory. What is that for? And why the hell, it contains my email credentials in PLAINTEXT?
  20. Just wanted to get a hint on how everybody else is using Enpass and at the same time show my setup. I use an USB-wristband for portability. I've got one layer of bitlocker using aes128 autounlock with tpm) and within that the walletx with its own aes256. Instead of the Enpass Portable I've got Enpass desktop installed on my three PCs pointing to an USB drive. That way I split up meta settings for Enpass in the registry and vault on a removable drive. Also when frequently synchronizing, the performance is better when executables that aren't secret reside on a local drive. I use cloud sync, so local backup isn't necessary. I only mount the USB stick and vault when required, and never run Enpass in the background. Critical secrets like Google or Microsoft are not stored in the vault, only their TOTP.
  21. An interesting and important question that was already raised, but not yet answered, in another thread: Is Enpass' built-in password generator part of SQLCipher or otherwise (if yes, how so?) open source and therefore trustworthy? I currently feel no need to demand to make the whole application open source as long as the security-relevant parts are. But the password generator is one of these and therefore a reassuring answer would be nice. If it's not open source, what are the plans in that regard? If it is, I think you should advertise that on your website, too.
  22. I recently came across this article: Password managers: attacks and defenses -- FEBRUARY 6, 2017 found here: https://blog.acolyer.org/2017/02/06/password-managers-attacks-and-defenses/. It describes common password attacks on password managers, mostly surrounding "autofill." For example, "The evil coffee shop attacker," "Sweep attacks," "Injection," and so forth. It lists several password managers like the big browsers (Chrome, Safari, etc.), Lastpass, 1Password, etc. It does not mention enpass. I would like to know if these types of autofill security concerns have been investigated and addressed in enpass. Thank you.
  23. Just a thought I'd like to share. With the introduction of time-based OTP in Enpass, you are able to use your one-time passwords from within the Enpass client. While this saves time for browsing to another OTP client (such as Google Authenticator), it does decrease the level of security. One-time passwords are usually used as the second factor of two-factor authentication. In most cases, these two factors are 'something you know' (your password) and 'something you have' (your phone with the OTP app on it). With the integration of OTP in Enpass, these two separate factors become one as they are both 'something you know/have/stored in the Enpass database'. Have you considered this decreased level of security? I know using OTP in Enpass is optional and the chance of someone obtaining and cracking the SQL database is low, but still the principle of two-factor authentication is thrown out the window by storing both your password and OTP in one place.
  24. Hi, I set up Enpass using WebDAV authentication, and that seems to work fine. However, I am currently trying to configure it for my iPhone as well, but this fails. On the iPhone, the Enpass app gives the error "Authorization failed" even with the correct URL, username and password. my server logs give the following details: Enpass on iPhone: [error] Digest: client used wrong authentication scheme `Basic': /webdav/enpass/ As you probably know HTTP supports both Basic and Digest authentication. Basic is unencryted, Digest uses a hash. So it seems that the MacOS version does support both Basic and Digest authentication, but the iPhone version only Basic authentication. I will configure my server to allow Basic authentication. While Basic authentication does not encrypt passwords, it is fine, as long at HTTPS is used (if HTTP would be used, the password would be send in plain text on the Internet). Now I have three suggestions for improvement: Support HTTP Digest WebDAV authentication on iOS. I assume all libraries support both (the Digest protocol was published 1999, the Basic protocol is even older) Only support HTTPS protocol, not HTTP (in case that is not already the case). Alternatively, if you prefer to still support HTTP, ensure Digest encryption is used. Let the user explicitly choose the authentication scheme: Digest, Basic, or Digest with Basic as fall-back.
  25. I started using Enpass yesterday and so far I absolutely love it. Only one thing surprised me so far: when I lock the screen in Ubuntu 16.04 (CTRL + ALT + L), Enpass will stay unlocked. I find it impractical to lock Enpass separately. I'd like Enpass to lock itself when the system is locked. Or at least I'd like to have a setting for this. Thanks for consideration!
×
×
  • Create New...