Enpass vs. lastpass hack

[spinedoc777]

I've been a happy user of Enpass for years now, but this lastpass debacle has me concerned.  My main concern is how Enpass handles the type of user information which lastpass apparently did not encrypt, info like website URLs and other metadata, although I'm not clear if that metadata was part of their vault or just information lastpass had in dealing with customers. I'd like to learn more about how Enpass hands off the password vault to a cloud provider and any inherent risks with that.

This would seem like a very valuable discussion with your customers to feel at ease using Enpass going forward.

Edit: So from what I've been reading, it looks like part of the UNENCRYPTED data compromised was the URL site of each password entry (and possibly other site entry information)!  So i definitely have this question for Enpass, how is this information handled, is it also encrypted along with passwords and not stored anywhere else but inside the password vault?

Edited December 26, 2022 by spinedoc777

[Discordant]

Your answer is on the security page of Enpass’ website (in the FAQ):

https://www.enpass.io/security/

Your cloud always contains a copy of same encrypted data as on your device. We download the whole encrypted copy and decrypt it locally on your device for real sync operation to merge changes. Afterwards we upload the encrypted data on cloud. In a nutshell, your cloud is only a storage medium and no security related operation ( encryption or decryption ) is actually performed there. All such operations are performed locally on your device.
 

 

 

[Mohit Thapa]

@spinedoc777 @Discordant Thank you for taking the time to write this post and for being part of the Enpass Password manager family. Furthermore, an Enpass vault is a SQLCipher database, which is a 100% encrypted blob. It includes all sensitive information and the metadata. Please refer this link for more information.