Jerry Chadwick

Password Managers: Potential Threats

3 posts in this topic

I recently came across this article: Password managers: attacks and defenses -- FEBRUARY 6, 2017 found here:

It describes common password attacks on password managers, mostly surrounding "autofill."  For example, "The evil coffee shop attacker," "Sweep attacks," "Injection," and so forth.  It lists several password managers like the big browsers (Chrome, Safari, etc.), Lastpass, 1Password, etc. It does not mention enpass.

I would like to know if these types of autofill security concerns have been investigated and addressed in enpass.

Thank you.

Share this post

Link to post
Share on other sites

I am just starting to use Enpass but from the article and 1password comments, I think that if you disable autosubmit login that would prevent sweep attacks.

Share this post

Link to post
Share on other sites

Hi All, 

I would like to share that Enpass is not affected by any of these attacks because Enpass never autofills in a website without your manual input to do so.

This is what happens when your try to autofill using Enpass:

  • When a page loads: Enpass does not execute (only attaches) its script when a webpage is loaded except in the case when URL is launched from Enpass app itself.
  • Once the page is loaded: You need to click on extension icon or press the shortcut key for which Enpass will show you the list of items for matching hostname/domain.
  • Autofilling:  Enpass fills only for selected entry and auto-submits if auto-submission is enabled. In case, you have a single matching item for that domain and the shortcut key is pressed, Enpass fills that item without showing the chooser window but again it was you who auto filled by shortcut.

Hope this helps!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now