Password Managers: Potential Threats

[Jerry Chadwick]

I recently came across this article: Password managers: attacks and defenses -- FEBRUARY 6, 2017 found here: https://blog.acolyer.org/2017/02/06/password-managers-attacks-and-defenses/.

It describes common password attacks on password managers, mostly surrounding "autofill."  For example, "The evil coffee shop attacker," "Sweep attacks," "Injection," and so forth.  It lists several password managers like the big browsers (Chrome, Safari, etc.), Lastpass, 1Password, etc. It does not mention enpass.

I would like to know if these types of autofill security concerns have been investigated and addressed in enpass.

Thank you.

[gmaddry]

I am just starting to use Enpass but from the article and 1password comments, I think that if you disable autosubmit login that would prevent sweep attacks.

[Guest Vikram Dabas]

Hi All, 

I would like to share that Enpass is not affected by any of these attacks because Enpass never autofills in a website without your manual input to do so.

This is what happens when your try to autofill using Enpass:

• When a page loads: Enpass does not execute (only attaches) its script when a webpage is loaded except in the case when URL is launched from Enpass app itself.
   
• Once the page is loaded: You need to click on extension icon or press the shortcut key for which Enpass will show you the list of items for matching hostname/domain.
   
• Autofilling:  Enpass fills only for selected entry and auto-submits if auto-submission is enabled. In case, you have a single matching item for that domain and the shortcut key is pressed, Enpass fills that item without showing the chooser window but again it was you who auto filled by shortcut.

Hope this helps!