on phone, create an option to always use PIN even on startup

[Peter Wang]

Hi I'm a new user, I found out from this post while trying to figure out why my app always asks for master password when I have setup a PIN for it. Below is a quote I found from the post:

Quote

After setting PIN, Enpass asks for master password if the App has been freshly started

Now I realise this is a 'feature' but I think this 'feature' defeats the purpose of the pin due to the fact that I don't constantly keep the enpass app running so mostly of the time I don't get to use my pin. I setup a pin for convenience and I have a complex master password for security. Entering my master password with a little android phone keyboard is a pain.

Please create an option in setting -> security, something like "always use PIN" so some of us can choose to always use a PIN if there is one set.

 

Regards,

Peter W

[Michael]

That sounds like a security risk because it gives your pin the same access level as the master password. -- Why not make your master password the pin. 

Edited June 20, 2016 by Michael

[Peter Wang]

On 20/06/2016 at 3:51 AM, Michael said:

That sounds like a security risk because it gives your pin the same access level as the master password. -- Why not make your master password the pin. 

The pin is supposed to have the same access level as the master password. This is the practice for even some internet banking app. Ultimately a pin is a security <-> convenience trade-off. And therefore the user should have a choice in the options to use the pin as master password replacement for mobile app only. This should satisfy both parties.

As for making master password the pin... No! That's a real security risk.

[Michael]

Quote

The pin is supposed to have the same access level as the master password.
As for making master password the pin... No! That's a real security risk.

Your two statements seem contradictory to me. If the pin code is supposed to have the same access as the master password, how is making your master password the pin any less secure than having a pin in the first place?

You're essentially saying "I want two passwords to unlock Enpass, a secure one and a less secure one." Having two passwords doesn't make the app any more secure than using only the less secure one.

Edited July 8, 2016 by Michael

[Peter Wang]

On 08/07/2016 at 3:51 AM, Michael said:

Your two statements seem contradictory to me. If the pin code is supposed to have the same access as the master password, how is making your master password the pin any less secure than having a pin in the first place?

On 08/07/2016 at 3:51 AM, Michael said:

You're essentially saying "I want two passwords to unlock Enpass, a secure one and a less secure one." Having two passwords doesn't make the app any more secure than using only the less secure one.

Because the master password is also used on a desktop. when I'm using desktop I don't mind typing in the longer, more protective password because I have a keyboard. While on my mobile device, I do wish to set a pin which is equivalent to my master password for the sake of convenience. 

So from what you are trying to say, yes, it will be easier to compromise enpass on my phone with a shorter pin, however, that's a personal choice to make, and you will have to steal my phone, crack my phone lockscreen before I remote wipe my phone, and then guess my pin for enpass before accessing my password library.

I don't believe this is a new practice that you have never heard before, a few banking apps that I'm aware of in Australia and New Zealand (which is where I am) are also using this practice on their app.

Edited July 19, 2016 by Peter Wang

[Michael]

I understand now. I was thinking the pin would also work on the desktop app for some reason.