Please re-enable clear text sharing

[ik8sqi]

A recent change in the MacOS and iOS app now makes impossible to share items unless they are encrypted with a pre-shared key. This means that now we can only share passwords with other users who are using Enpass. If they are using other password managers as is usually the case we can't share items with them anymore. A common scenario is the sharing of an account to another coworker via Signal - we do that often since Signal is encrypted and super-secure. But no... now we can't do that anymore as we can't share the clear-text version of the account anymore. And no - I can't just copy/paste the password as there's often multiple entries and notes that go along with the login - see screenshot. It's a pain to copy/paste them all. Why in the world are you forcing me to do that???

This option needs to be user-selectable. Whoever came up with the stupid idea of making this option not changeable needs to realize we don't live in a world where everyone uses Enpass. Do you think we are all so dumb and ignorant we can't decide for ourselves? It's my choice to decide if I need to transfer the items encrypted or in clear text over another secure transport such as Signal. It's not your choice to make.

Please allow us to decide if we need to encrypt the data when sharing.

[Abhishek Dewan]

Hi @ik8sqi

We have received your query on support@enpass.io and have responded to the same. To avoid duplication of efforts and confusion, we request you to please revert to the same. We appreciate your understanding in this case.

[JFS]

Hello,

I have the same problem witch sharing. And I can remember that it worked before also without PSK.
Why do you come to so problematic a decisions?

And in which menuitem can I find the generated PSKs for my teammember?

best

Edited August 1, 2023 by JFS

[Abhishek Dewan]

Hi @JFS

To securely share individual Items, you must first create a secret password — called a pre-shared key (PSK) — known only to you, and provided to your recipients so they can unlock the encrypted Item when they receive it. Importing a shared Item requires the recipient to provide this PSK. To learn more about sharing Individual Items in Enpass, please refer to the below links -

1. Sharing individual Items with other Enpass users

2. Adding individual Items shared by other Enpass users

 

[ik8sqi]

1 hour ago, JFS said:

Hello,

I have the same problem witch sharing. And I can remember that it worked before also without PSK.
Why do you come to so problematic a decisions?

Yes, it worked before. For iOS unfortunately there's nothing we can do until they realize that was an obtuse decision and release a new version that allows the sharing without enforcing the PSK. But for the desktop version, if you email them privately they will give you the previous version.

Please note that the first time I asked for the previous MacOS version without the PSK enforcement, for some unknown reason they opted to give me a VERY old version -  v5.6.11 (maybe the reply was sent by the same person who decided that enforcing PSK was a good idea...?). When I complained and asked for the latest version before that senseless upgrade (v6.8.6 enforces PSK), they eventually gave me the link to download the v6.8.5 installer. I had the MacOS app store version, so I needed their non-app store in order to downgrade.

 

[ik8sqi]

On 6/16/2023 at 6:43 AM, Abhishek Dewan said:

Hi @ik8sqi

We have received your query on support@enpass.io and have responded to the same. To avoid duplication of efforts and confusion, we request you to please revert to the same. We appreciate your understanding in this case.

I am stuck using the older v6.8.5 that does not enforce using the PSK to share items. I see you've released v6.9.0 but in the release notes there is no mention of removing that senseless restriction. Are you going to remove it on a following release, or do we need to look for a different password manager since remaining on an older version is not going to be feasible long-term?

[Abhishek Dewan]

Hi @ik8sqi

We appreciate your feedback, and we want you to know that we have duly noted it. However, at this time, we are unable to commit to any specific changes or actions. Your input is invaluable to us, and it maybe considered as we continue to improve our product. Thank you for taking the time to share your thoughts with us.

[AnakinCaesar]

Hello @Abhishek Dewan the sharing and adding methods you mentioned are NOT working for iOS, so sharing an entry is not possible anymore. Huge bummer - something critial which should get way more attention into fixing!

[Abhishek Dewan]

Hi @AnakinCaesar

To assist you better with the issue you are facing, kindly elaborate more on the concern and share the below details with me-

1. The version of the Enpass app and OS you are using.
2. A screenshot of any error occurring would be helpful.

[AnakinCaesar]

iOS 17.0.3 iPhone 14 Pro
Enpass 6.9.3 (776)

Issue: Sharing via Signal creates an unusable file which cant be opened in any way. Sharing via WhatsApp gives all the text but no link to click and no possibility to just select the text what should be able to be added via "Add from clipboard" in Enpass menu. Sharing and then saving to "Files" creates an xxx.enpasscard which I can't open on my own devices, either via import "Add from clipboard" nor opening directly in Enpass. Always give "Invalid file" or "no valid data".

[Abhishek Dewan]

Hi @AnakinCaesar

Thank you for elaborating on the concern.

I'm discussing this case with our dedicated team and will get back to you soon with an update. Your patience and cooperation in the meantime are appreciated.

#SI-3519

[Abhishek Dewan]

Hi @AnakinCaesar

Upon a thorough discussion and investigation, we were able to reproduce the bug. Our development team is now working on fixing it as a priority, and a patch addressing this issue will be released soon. We appreciate your kind patience and cooperation in the interim.

[ik8sqi]

On 9/6/2023 at 6:51 AM, Abhishek Dewan said:

Hi @ik8sqi

We appreciate your feedback, and we want you to know that we have duly noted it. However, at this time, we are unable to commit to any specific changes or actions. Your input is invaluable to us, and it maybe considered as we continue to improve our product. Thank you for taking the time to share your thoughts with us.

I just noticed that when you do an "export", all the data is being exported in clear text. So why would you take away from us the ability to share an item in clear text and force us to encrypt it, making it impossible to share it with others unless they're also using enpass, while at the same time leaving *everything* in clear text when exporting it? It does not make sense.

This came up while I was getting ready to test the Secrets.app password manager. It's looking *very* promising. It can't copy the items to export in the clipboard as Enpass used to do, but it can at least export them in clear text individually. I've waited too long for this senseless restriction to be removed. Guess it's time to part ways with Enpass.

[Nervier]

On 9/6/2023 at 6:51 AM, Abhishek Dewan said:

Hi @ik8sqi

We appreciate your feedback, and we want you to know that we have duly noted it. However, at this time, we are unable to commit to any specific changes or actions. Your input is invaluable to us, and it maybe considered as we continue to improve our product. Thank you for taking the time to share your thoughts with us.

I too needed to share some of my accounts (they're generic - admin, webmaster, etc) with my coworkers, and just found out that I cannot because the MacOS and the iOS apps are now forcing me to encrypt them with a password. They're not using enpass, so now I can't share the information.... I thought I remember being able to do it in the past and just saw this thread that confirmed that I hadn't imagined it. What kind of stupid decision is this to remove the ability to share items unless they are password-protected? I'm sharing them with people I know via Signal, so they're secured already. And now I'm going to have top copy/paste each entry in wordpad (I have over a dozen, it's going to be a pain...) and then send them like that - (UNENCRYTPED). Why are you making me go thru all these steps when the app should simply allow me to export them unencrypted to begin with?? With the PSK you're requiring the other users to have Enpass as well, which is NOT the case.

Please re-enabled that setting again so we can remove the PSK. Whoever came up with this requirement needs to realize this idea makes no sense at all and should go back to things as they were before.

[Amandeep Kumar]

We appreciate your feedback. However, due to data security concerns, we cannot recommend removing the password-protected encryption requirement for shared items.

While we acknowledge that this change may inconvenience some users, it is essential for maintaining the security and integrity of your shared information. We're constantly evaluating our features and considering user feedback, so your input is valuable to us.

[Nervier]

Amandeep,

Can you please explain what you mean by your vague "due to datea security concerns"? I need to give my account info to other users. They do not use Enpass. I thus *MUST* send it to them in clear text. I do that via Signal. It's secured, and encrypted. There are ZERO security concerns with this process.

But without the ability to now export an entire record from Enpass, I have to copy/paste each individual field in every account and copy/paste into a message/note so that I can then send it. It's incredibly time-consuming. All because you decided to prevent us from exporting the same record with one click? As another user in the thread said, what where you guys thinking?? You're not making the app more secure, you are actually making it worse as I now have to copy/paste these individual entries in a note, so that when done I can "select all" and then send with signal, and then (1) ALL those passwords will be in my clipboard which I could inadvertently paste somewhere else, and (2) I need to remember to delete the note, and (3) I have to delete it from the deleted items in iCloud as it will be stored there too. So as you see you're making matters much LESS secure by preventing me to share the items directly from Enpass. And as another user also said, when creating a backups those are in clear text anyways, so, again, please explain your "due to data security concerns" statement again?

Edited May 15 by Nervier
typo

[Ivarson]

I dont remember what the unprotected sharing looked like, but think it was All fields in plaintext, and a enpasscard in base64?

@Amandeep Kumar If you want the Share-function to be a secure Enpass-only thing where there are no shared vaults involved, you could instead add a "Copy All Fields" for the items (you already have Copy Username, Copy Password, Copy URL, Copy OTP, Copy Email.. adding a Copy All wouldn't reduce security _that much_, possibly the fact that all fields resides in clipboard at thesame time, but atlest the clipboard would still be protected by the builtin timer that wipes records after some time by default.

As a sidenote, in the Windows-app, there's a Print function where Enpass generates PDF-files.

This can be used in some cases, but it's clunky, the content cant be highlighted and copied from and so forth, but if you want to share several fields at once, and the password isn't too long and complex, you can select an item, hit the Burger-menu (not the items three dots) -> File -> Print -> selected items.

Then make sure that "Microsoft Print to PDF" is selected, which creates a local PDF instead of going to a physical printer.

Due to a glitch i guess, the "selected items" is only available if you're viewing ONE vault, when All Vaults are selected (i.e you have many vaults) you can only select ALL ITEMS.

I dont recommend the print-thing as a sharing-concept, just pointing out its there for the Windows Desktop app.

[Nervier]

1 hour ago, Ivarson said:

I dont remember what the unprotected sharing looked like, but think it was All fields in plaintext, and a enpasscard in base64?

No... the "Export" does a *full* export of all records, all fields, in plain text, password included (on MacOS). So much worse than exporting a single item in plain text. And then they go on talking about "due to data security reasons" we force you to encrypt with a PSK an individual item. So frustrating...

Here's a sample screenshot.... (the appliances doesn't exist anymore - it's a 10yr old account)

[Ivarson]

25 minutes ago, Nervier said:

No... the "Export" does a *full* export of all records, all fields, in plain text, password included (on MacOS). So much worse than exporting a single item in plain text. And then they go on talking about "due to data security reasons" we force you to encrypt with a PSK an individual item. So frustrating...

Here's a sample screenshot.... (the appliances doesn't exist anymore - it's a 10yr old account)

I was asking about the per-item 'Share'-function, not the 'Export' and how the non-PSK shared data looked like

[Nervier]

32 minutes ago, Ivarson said:

I was asking about the per-item 'Share'-function, not the 'Export' and how the non-PSK shared data looked like

Oh sorry - yes, that seems to be base64-encoded, but base64-decoding it yields gibberish as the entire contents being shared are encrypted with the PSK. \

[Ivarson]

I know, it's supposed to :-)

I was asking about how the shared data _looked_ like, when you could share without AES-256 encrypting it. Pretty sure it was plaintext fields on each row, and a .ENPASSCARD-file with non-encrypted base64.

anyway, wouldnt a "Copy All"-option sort your needs?

The clipboard would contain all populated fields in the item, and would be intended for human-to-human sharing or external copying. (base64 is in essenence made for normalized transportation)

---

Title: XCV

Username: XCV

Password: XCV

Website: <URL>

---

i also recall talking to enpass support one or two years ago about a web-based service for external password sharing, and they were "working on it"

something like Bitwarden Send or Lastpass password sharing where you could have either password- or limited accessattempts on a generated weblink, not sure if that took of or not.