Fadi Posted May 26, 2022 Report Share Posted May 26, 2022 (edited) As i have been using enpass for past several months i even got to know about enpass key file to enhance vault security but there are still few concerns which i am about to share. 1: for security new users do not know about enpass key and once a new user have created primary vault then it is almost not possible for them to move to another vault and keep primary vault without enpass key. There is no option to set or change default primary vault if i want to. 2: Even if you have created primary vault with enpass key it can be hacked very easily. Enpass Database + keyfile is located on same system once a hacker got into your pc using RAT which is very common scenario they can access your all files in drive and using key logger they can capture your password for enpass. So when a hacker have access to a pc having enpass keyfile does not make it secure. I am a security researcher and i know what i am talking about. Now a days malware have became so intelligent they can be asked to find specific file on that computer or even on that network and once they find name of extension matching file it can be uploaded to hacker's server. having 2FA on Authy or Google Authenticator or which ever you use is much more reliable way to add an extra layer of security to your enpass vault. Why don't we put a 2FA by default for primary vault? Even if it is protected by key file on new device vault must ask for 2FA code? It can be implemented and user gets to choose if they want keyfile and 2FA both activated or only key file or only 2FA. I have tested the scenario (2) explained above using my personal computers and i was able to access it very easily. It is my humble request to add this 2FA including keyfile to make enpass more secure and a single keyfile and a password is not enough to secure it. even if we keep keyfile on a USB drive our vault needs it and when we will connect our USB to that pc for vault unlocking it can be accessed by hackers like all other normal drives. Also please add feature to change primary vault if someone creates a new vault with keyfile or how ever there must be an option to change primary vault. I hope i am not missing anything and was able to explain it clearly but if i am missing something please do let me know. Edited May 26, 2022 by Fadi 3 Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now