Jump to content
Enpass Discussion Forum

Security audit


Gili
 Share

Recommended Posts

1 minute ago, Audit said:

Dear Team,

Concerned user here as well switching back to another solution untill the day you publish audit results

Please make it happen! Because I like the software, but at this point I hesitate filling in any sensitive data.. Worried about backdoors and such.

I’m keeping some of my information in Passpack, until an audit has been done..

I know we have to wait for the next version.  

Link to comment
Share on other sites

It has now been over a year and a half since I requested a security audit. Enpass staff has replied multiple times, making promises that they did not keep.

Enpass has already given us an answer through their actions: there will be no security audit. You need to ask yourself why that is, and whether you are willing to use this security product without it. Based on what we've seen, posting on this forum will not change anything.

I have unsubscribed from this post.

Good luck,
Gili

Link to comment
Share on other sites

  • 4 weeks later...

Can someone confirm if Enpass will be doing a security audit?

If there will be no security audit, I will be leaving Enpass like@Gili and I will use a different password manager. The responsiveness of the staff tells me that security is not a really a top priority to Enpass (maybe a priority, but not a top priority).

Edited by Kamute
Link to comment
Share on other sites

Hi @Kamute,

Thanks for writing in.  

11 hours ago, Kamute said:

Can someone confirm if Enpass will be doing a security audit?

 

Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update.

I appreciate your patience in the meantime.

  • Like 1
Link to comment
Share on other sites

On 5/15/2018 at 12:05 AM, Anshu kumar said:

Hi @Kamute,

Thanks for writing in.  

Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update.

I appreciate your patience in the meantime.

Thank you for responding, @Anshu kumar

Link to comment
Share on other sites

  • 4 weeks later...

As 1Password has changed their licensing policies I'm looking elsewhere for a more affordable solution and came across Enpass, as well as LastPass and DashLane. With 1Password numerous 3rd party audits are available on the internet, and also with DashLane I could find a pretty interesting 3rd party audit alas for an older version. For LastPass it was more difficult fo find such audits (although I did find several mentions of vulnerabilities) but I discovered hackergroups discussed the security of LastPass and appear to feel safe with it - that's a good second best for a security audit.

So I started looking for a 3rd party audit onto Enpass and stumbled upon this discussion and got surprised about the reluctance of Enpass to have the 5 version audited. In my opinion it's just ridiculous to postpone an audit because of a new version is going to be launched. Why not having version 5 audited? Isn't it secure enough to be audited? I actually don't care about the last version of your software being audited. Audits are about gaining trust. I would be very interested to read 3rd party audits for any older version even though you might have several vulnerabilities in those fixed already. Each and every audit tells something about you, the company writing the software.

If you are really serious about getting a 3rd party audit involved then do so immediately, with the current version of the software. Right now this discussion reads like a joke. I cannot take Enpass as a serious alternative to 1Password. I'd rather pay the hefty fees for 1Password.

  • Like 1
Link to comment
Share on other sites

@rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point.

 

Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.

Link to comment
Share on other sites

  • 2 weeks later...

I think one thing that would help at the VERY least, is to provide some insightful details about the types of cryptography going on here, and how it's handling that. Something LastPass also does is they provide reasonable levels of details about what they do, where it does it, and what algorithms are being used.\

For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used?

I personally like the concept of Enpass. I'd like to know a little more what's under the hood of its design from a security standpoint. A lot of people can say, they use military grade AES-256 encryption, but HOW they implement it could completely break it in a snap. 

Some people here pointed out the country of origin. To me that is mostly immaterial. What is more important is security itself, and the fact is: Security Is Hard, as Steve Gibson himself always says on his podcast show, SecurityNow. 

Take a look at how LastPass describes what they do for security from a technical point of view: https://lastpass.com/whylastpass_technology.php

 

  • Like 1
Link to comment
Share on other sites

Hi @Psi-Jack,

You can find more details about security and cryptography in Enpass here:
https://www.enpass.io/security/
https://www.enpass.io/docs/enpass-security-whitepaper/index.html

 

8 hours ago, Psi-Jack said:

For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used? 

libsodium is being used for encrypting browser extension communication channel. It is present in /opt/Enpass/lib folder that's why running ldd on Enpass binary says
libsodium.so.18 => not found

which just means that ldd couldn't find the library in your system at standard locations.

Link to comment
Share on other sites

btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?

Link to comment
Share on other sites

  • semi_mod locked this topic
  • 2 months later...
  • 2 weeks later...
On 2/13/2017 at 2:02 PM, Hemant Kumar said:

Hello, everybody!

I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. 
Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once.

Till then, please bear with us and all I ask for is your co-operation.

Cheers!


I feel this is extremely important, especially based on your industry. You need to show us, your users that trust you, that this trust is not misplaced. Now, I think it's been long enough that you have not had this done, and it needs to be done. 

I feel that most of this stuff you mentioned above has been implemented. You have also previously stated that security is #1. 
So then, can we please get a serious answer about this?

Are you doing an audit? 
Who is doing it?
When is it starting? When do you expect the results?
 

  • Like 2
Link to comment
Share on other sites

  • 5 weeks later...

Hey there,

I just created this account to chime in with others.

I have been looking into the password manager options for a while and thought Enpass might be the best of all options out there for a number of reasons – not being subscription-based, opt-in cloud sync, competitive pricing, etc.

Thus I was considering using Enpass as my default password manager. And then I came across this post.

The current situation over the security audit being pushed back due to delayed releases of upcoming version 6 is quite problematic. This goes back to over 2 years ago now. One may wonder if this will ever happen.

Alas, I come to the conclusion that I cannot use neither recommend this solution as of this writing. I suspect I may not be the only one keeping away from Enpass because of this reason.

Perhaps you should consider the security audit as a business opportunity, even more so in the enterprise space, as a way to bring in more customers.

I have no doubts of your intentions regarding the auditing of the software and wish you will proceed with it as soon as the next version is ready.

Hopefully we can revisit Enpass in the future and recommend it to everyone looking for a great password management solution.

In the meantime, keep up the good work and – Just do it!

@Hemant Kumar, @Anshu kumar, @Akash Vyas, @Vinod Kumar, and the rest of the Enpass team.

  • Like 1
Link to comment
Share on other sites

7 hours ago, justdoit said:

Hey there,

I just created this account to chime in with others.

I have been looking into the password manager options for a while and thought Enpass might be the best of all options out there for a number of reasons – not being subscription-based, opt-in cloud sync, competitive pricing, etc.

Thus I was considering using Enpass as my default password manager. And then I came across this post.

The current situation over the security audit being pushed back due to delayed releases of upcoming version 6 is quite problematic. This goes back to over 2 years ago now. One may wonder if this will ever happen.

Alas, I come to the conclusion that I cannot use neither recommend this solution as of this writing. I suspect I may not be the only one keeping away from Enpass because of this reason.

Perhaps you should consider the security audit as a business opportunity, even more so in the enterprise space, as a way to bring in more customers.

I have no doubts of your intentions regarding the auditing of the software and wish you will proceed with it as soon as the next version is ready.

Hopefully we can revisit Enpass in the future and recommend it to everyone looking for a great password management solution.

In the meantime, keep up the good work and – Just do it!

@Hemant Kumar, @Anshu kumar, @Akash Vyas, @Vinod Kumar, and the rest of the Enpass team.

+1

Link to comment
Share on other sites

  • 2 weeks later...

As a security auditor assistant every IT companies need to do security audit and need additional security certificate.. so every Member and user can under stand the security level .. also you have to show off PCI certificate in your site if you have..  so we can understand how much you take care about our data.. im an auditor and how much costly if any company breached data from their sites.. so please understand the requirements of security audit. every 3 to 5 years system audit required..

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...