PIN as Secret password & email as username

[Raygen]

• I've been using Enpass for a while now and i'm well satisfied as my first password manager. An aspect that concern me the the most though, is the lack of protection aganist a master password sniffing attack or leak.

Basically, as i understand, if you have the master password you can decrypt the database and take all the passwords, easy, without a second factor authenticantion or somenthing similar to stop it. And since you need to manually insert the master password everytime you want to unlock Enpass, this make the job easy for a keylogger, a zero day virus, or even a random security camera watching the screen of your smarthphone. Even if you have enabled the PIN option, you still need to insert the master password at least once a day.

To remedy this, many password managers such as 1Password uses a secondary password called Secret password created locally by the password manager itself that you never need to type. I don't really know how it works since i never used it, but i got a similar idea: It would be possible to use the PIN to only unlock Enpass (the application itself), and leave the master password to crypt the database? So, even if the PIN get sniffed, it could be used only on that same device / Enpass instance. By letting only Enpass itself handle the master password internally.

It's only a concept obviously, but it would be nice to a have an extra layer of protection.

 

• Also, i noticed that the auto-fill uses by default the "username" and "password" fields to fill all the login screens, even those who ask you for your "email" and "password". It would be also nice if you could choose what field use to auto-fill the request data, or make Enpass automatically recognizes which field to use by reading the web page or app window.

Edited June 10, 2018 by Raygen

[jobilestori]

On 6/10/2018 at 1:29 PM, Raygen said:

• I've been using Enpass for a while now and i'm well satisfied as my first password manager. An aspect that concern me the the most though, is the lack of protection aganist a master password sniffing attack or leak.

Basically, as i understand, if you have the master password you can decrypt the database and take all the passwords, easy, without a second factor authenticantion or somenthing similar to stop it. And since you need to manually insert the master password everytime you want to unlock Enpass, this make the job easy for a keylogger, a zero day virus, or even a random security camera watching the screen of your smarthphone. Even if you have enabled the PIN option, you still need to insert the master password at least once a day.

To remedy this, many password managers such as 1Password uses a secondary password called Secret password created locally by the password manager itself that you never need to type. I don't really know how it works since i never used it, but i got a similar idea: It would be possible to use the PIN to only unlock Enpass Coles Member Login (the application itself), and leave the master password to crypt the database? So, even if the PIN get sniffed, it could be used only on that same device / Enpass instance. By letting only Enpass itself handle the master password internally.

It's only a concept obviously, but it would be nice to a have an extra layer of protection.

 

• Also, i noticed that the auto-fill uses by default the "username" and "password" fields to fill all the login screens, even those who ask you for your "email" and "password". It would be also nice if you could choose what field use to auto-fill the request data, or make Enpass automatically recognizes which field to use by reading the web page or app window.

Did you contacted to the support? i think you should contact them directly!

Edited June 5, 2020 by jobilestori

[Kashish]

Hey @Raygen,

Welcome to the forums! We appreciate your valuable feedback and suggestions.

On 6/10/2018 at 1:59 PM, Raygen said:

It would be possible to use the PIN to only unlock Enpass (the application itself), and leave the master password to crypt the database? So, even if the PIN get sniffed, it could be used only on that same device / Enpass instance. By letting only Enpass itself handle the master password internally.

We're noted this down and forwarded this to the concerned team for consideration in future. 

On 6/10/2018 at 1:59 PM, Raygen said:

Also, i noticed that the auto-fill uses by default the "username" and "password" fields to fill all the login screens, even those who ask you for your "email" and "password"

You can drag and move the username and email fields(editing an item) using the three horizontal lines at the end of the field box. Doing this for a particular item changes the order of auto-fill criteria to username or email. Try and check if it's helpful.

Thanks.