Jump to content
Enpass Discussion Forum

BUG: Password Audit > Identical has a lot of inaccuracies


Recommended Posts

Beta 6.4.2 (667)

I was poking around in Password Audit > Identical today and have run into a handful of issues:

1) If you're in All Vaults, the sidebar shows a count of "identical" passwords, but when you click on that category to view them, it's empty — the only way to see a list of identical passwords is to choose a particular vault first.

2) The count is inaccurate — in my primary vault, the sidebar shows 22 items, but only 12 appear in the list

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)...

4) ...but those first 16 characters are the same in a several of my passwords, so if bug #3 is because the app is (for some reason) only looking at the first XX characters in order to call them "identical," why did it only find 2 "matches"?

5) Of the 12 items shown, 2 of them are grouped all by themselves — listed as matching, but there are no matches.

(And just to head off at the pass anyone who might want to admonish me for using passwords that have 16 characters in common, I have lots of entropy after those 16, and I'm in the process of randomizing all my passwords, but that takes time.)

1558480991_Enpass22identical22bugs.thumb.png.8795f717cd5503c7dc708e899608c25b.png

Link to post
Share on other sites

Hey @100 Watt Walrus

Sorry for the trouble you are going through and thank you so much for the explaining the scenario in detail.

On 6/28/2020 at 10:04 AM, 100 Watt Walrus said:

1) If you're in All Vaults, the sidebar shows a count of "identical" passwords, but when you click on that category to view them, it's empty — the only way to see a list of identical passwords is to choose a particular vault first.

2) The count is inaccurate — in my primary vault, the sidebar shows 22 items, but only 12 appear in the list

To check further on this issue, we want little input from your side so please let us know:

  • Total numbers of vaults and which cloud services you are using to sync the data?
  • Number of identical items showing in each vault?
On 6/28/2020 at 10:04 AM, 100 Watt Walrus said:

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)...

4) ...but those first 16 characters are the same in a several of my passwords, so if bug #3 is because the app is (for some reason) only looking at the first XX characters in order to call them "identical," why did it only find 2 "matches"?

5) Of the 12 items shown, 2 of them are grouped all by themselves — listed as matching, but there are no matches.

(And just to head off at the pass anyone who might want to admonish me for using passwords that have 16 characters in common, I have lots of entropy after those 16, and I'm in the process of randomizing all my passwords, but that takes time.)

 
One of the possible reasons might be these items (which you have mentioned) have more than one password field. To investigate further on this issue can you please open these three items one by one in edit mode and check if they have more than two password fields. Or please click on the "Show Webform" of each items on the info page and check if there is any password field having a similar password.
 
Thanks for your co-operation.
Link to post
Share on other sites

Hi Garima. Here's the details you're looking for:

Five vaults — 3 on separate Google Drive accounts, 1 Dropbox, 1 Box.

My primary vault — where the sidebar shows 22 but the list is only 12 — is one of the Google Drive accounts.

None of these records have more than one password field. Each of them do have additional sensitive fields, but those are not Field Type = Password (one is Text and one in Multiline).

Also, none of them have webforms. I've never used them. I don't even know where to find that feature.

FYI, I created my own simplified templates and always use one of those for every new Item (it's impossible to choose my own default template, so I have Ask to Save New Logins turned off)...

...but actually, I don't even use the templates because it's faster to just have keep empty Items made from those templates at the top of the alphabet in each vault, and just duplicate them whenever I need need a new item. (CMD+D, and just start typing — that's a lot faster of having to click +, then click a category, then click a template). Screenshot below for clarification.

100WattWalrus's non-template template.png

Link to post
Share on other sites
  • 2 months later...

Hi @Pratyush Sharma,

Most of the issues seem to be fixed, except for 

On 6/27/2020 at 9:34 PM, 100 Watt Walrus said:

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)

For example, All Vaults > Identical currently has a count of 52 (accurate), the biggest group of which is 19 supposedly "identical" passwords — but in fact, while all 19 passwords in this group begin with the same 8 characters, most of them have different additional characters. These 19 shown all together should actually be split into 5 different sets of identical passwords:

  • 3 of them are identical to each other, and consist of just those 8 characters (the unlock code on devices with a shared user account)
  • 2 of them are identical to each other, but not to the to other 17
  • Another 2 are identical to each other, but not to the other 17
  • 9 of them are identical to each other, but not to the other 10
  • 3 of them are identical to each other, but not to the other 16

So it looks like Enpass may not be comparing the entire password before calling them "identical."

That's not necessarily a bad thing in terms of the end goal (totally unique passwords for every account, not variations on a theme), but it is inaccurate, exposes the shortcomings of Enpass's "identical" tool, and potentially misleads the user into thinking they have more matching passwords than they really do.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...