Jump to content
Gili

Security audit

Recommended Posts

Well, isn’t this disappointing. 

Its been over a year, no version 6.

Hence, of course, no Security Audit. 

No idea when this will occur either.

I am thinking “Sinew Software Systems Private Limited” ain’t too focussed on Enpass. 

Well, you had me fooled.... I thought you folk were cool. 

Share this post


Link to post
Share on other sites

Hey guys,

We know you've been waiting for this to happen for a long time and we really appreciate your patience.  We're hoping to roll it out by the end of this year but there came some situations with urgent improvements in Enpass 5;  like Firefox WebExtensions, Edge extension etc, so we had to take care of them, curtailing time for it from the development.:S However, our dev team is back on it and working really hard to keep up the pace and get features implemented. We'll keep you updated.

Thanks for your understanding.      

  • Thanks 1

Share this post


Link to post
Share on other sites

Well, today is January 22, 2018, it's been a year since you promised a third party audit. Where is Enpass 6?

I hope we can see the progress of your work as this is a top concern for our users. It relates to whether we can trust enpass or not.

  • Like 1

Share this post


Link to post
Share on other sites

no 1pw is not open source as far as i remember.

also I have no exact idea when 1pw6 was released but the version before had a drastically different UI.

Share this post


Link to post
Share on other sites
21 hours ago, My1 said:

no 1pw is not open source as far as i remember.

also I have no exact idea when 1pw6 was released but the version before had a drastically different UI.

"drastically different UI"

v5 v4 v3

Share this post


Link to post
Share on other sites

the UI I saw was more like this:

385059-agilebits-1password-4-for-windows

and reminds me more of keepass.

and having a list of categories on the left and on the middle the list of entries and the content on the right (or bottom) isnt really creative, this is a similar thing as what mail clients can do for eternities, and this basic idea which makes sense, it's not really a wonder they look similar.

Edited by My1

Share this post


Link to post
Share on other sites
On 2/4/2018 at 6:26 PM, My1 said:

the UI I saw was more like this:

385059-agilebits-1password-4-for-windows

and reminds me more of keepass.

and having a list of categories on the left and on the middle the list of entries and the content on the right (or bottom) isnt really creative, this is a similar thing as what mail clients can do for eternities, and this basic idea which makes sense, it's not really a wonder they look similar.

I don't know how it looked on windows. On mac it was different. But it is offtopic here. So what about security audit?

Share this post


Link to post
Share on other sites
On 2/2/2018 at 2:35 AM, loginx said:

Any update on this? I can't trust a closed source proprietary software with no audit. You guys shamelessly stole 1password's ui, please provide us some proof.

I agree that there is a strong resemblance between the Mac version UI of 1PW and enpass but 'shamelessly stole' are some strong words to use here.
The UI for enpass may not have any unique creativity but it isn't possible to drastically differentiate every app from all the other apps having similar functions. Some designs may be proven to be aesthetically and functionally fulfilling all goals and drawing ideas from them, while avoiding blatant plagiarism, is nothing bad at all.

 

On the main topic, I am truly disappointed that an otherwise excellent app, is dragging its feet so badly on being open for a security audit. After all, it is not trivial data that they are dealing with. These little things are what could turn away potential customers or deter evangelists from referring users to it.

Share this post


Link to post
Share on other sites
Guest

I commented here approximately 1 year ago. Due to the silence from the developer, I am unfollowing this thread and will continue to recommend Lastpass to everyone who needs a password vault. 

Share this post


Link to post
Share on other sites
6 hours ago, mudfly said:

I commented here approximately 1 year ago. Due to the silence from the developer, I am unfollowing this thread and will continue to recommend Lastpass to everyone who needs a password vault. 

has Lastpass been Audited?

also Lastpass obviously has the problem that they have your data. also the way LP stores the data is apparently relatively open and based on standards so people can try to check that for themselves.

Share this post


Link to post
Share on other sites
Guest
16 hours ago, My1 said:

has Lastpass been Audited?

also Lastpass obviously has the problem that they have your data. also the way LP stores the data is apparently relatively open and based on standards so people can try to check that for themselves.

Lastpass is not without its own set of issues, I am not sure about an independent third party audit of Lastpass. What I do know, is that they are an American company, and I am American, and so if there is an issue I can hire a lawyer, or join a class action if the need arises. I also work for one of the largest software companies in the world, who as a saas company, we take security very seriously. We use a corporate Lastpass to manage our shared secrets. If my company with their secrets trust Lastpass, who am I to disagree with their independent security audit? I requested my account be deleted, so I don't know if you will see this reply. All of my posts will be removed when my account is removed.

Share this post


Link to post
Share on other sites

okay, well I am not from the US and therefore essentially both LP and Enpass are alien companies for that matter. one of the best things about enpass is that they make it easy to not need to trust them. their database is in a relatively open format and I can choose where to store, or even do the sync myself while letting enpass itself not even touch the internet with a "10 foot pole" as you americans tend to say (I'd rather say ten meter, but that's another story).

 

meaning I could essentially pseudo-aigap Enpass and let for example the Nextcloud client do the sync of everything, which makes it impossible for Enpass to doanything crazy in regards to move data somewhere where it doesnt belong or whatever.

 

regarding seeing your replies, I have an email notif, but even if I hadnt, usually when an account is removed the posts dont vanish and it will mostly remove your picture and other data and say deleted user instead of your username.

Share this post


Link to post
Share on other sites

Created an account to say that I'm glad I've held out paying for Enpass mobile for so long. I've used it on my desktop, synced to my encrypted drive, and while I do generally trust that the developers have good intentions in terms of security, I can't put my trust in a company that's been promising a security audit for so long (as well as the next version of Enpass for even longer!)

Switching for now. Good luck Enpass team!

  • Like 1

Share this post


Link to post
Share on other sites

Hey guys,

We understand that security audit of Enpass has grown significant mass and holds the first priority for all of us. The frequency of comments on this post has become an occasional topic of conversation here pushing us to deliver the beta of Enpass 6 as soon as possible. 

As I mentioned previously, the best way to audit Enpass would be for the new architecture only because doing it for the current version shall all be in vain. No excuse that we are late in releasing the Enpass 6 but that was due to some unavoidable issues and feature updates.

10 hours ago, wepebavum said:

Switching for now. Good luck Enpass team!

Your best wishes for good luck are what we need always but nothing is more painful than parting from you. All I can say at the moment is to please wait for some more time as the New avatar of Enpass is on the way

Thanks a lot for your understanding!

Share this post


Link to post
Share on other sites

I'm just starting out with Enpass and I love it! But i just would like to note that I'm also very concerned with this issue! 

I can only fully trust my personal data to Enpass and recommend it to others if it's Open Source and / or Audited by a qualified and trusted external organisation. 

  • Like 1

Share this post


Link to post
Share on other sites

I am concerned about this issue too! And gonna switch to another solution.

I'll switch back to Enpass and pay a license the day you publish an audit result.

  • Like 1

Share this post


Link to post
Share on other sites

Dear Team,

Concerned user here as well switching back to another solution untill the day you publish audit results

Please make it happen! Because I like the software, but at this point I hesitate filling in any sensitive data.. Worried about backdoors and such.

Share this post


Link to post
Share on other sites
1 minute ago, Audit said:

Dear Team,

Concerned user here as well switching back to another solution untill the day you publish audit results

Please make it happen! Because I like the software, but at this point I hesitate filling in any sensitive data.. Worried about backdoors and such.

I’m keeping some of my information in Passpack, until an audit has been done..

I know we have to wait for the next version.  

Share this post


Link to post
Share on other sites

It has now been over a year and a half since I requested a security audit. Enpass staff has replied multiple times, making promises that they did not keep.

Enpass has already given us an answer through their actions: there will be no security audit. You need to ask yourself why that is, and whether you are willing to use this security product without it. Based on what we've seen, posting on this forum will not change anything.

I have unsubscribed from this post.

Good luck,
Gili

Share this post


Link to post
Share on other sites

Can someone confirm if Enpass will be doing a security audit?

If there will be no security audit, I will be leaving Enpass like@Gili and I will use a different password manager. The responsiveness of the staff tells me that security is not a really a top priority to Enpass (maybe a priority, but not a top priority).

Edited by Kamute

Share this post


Link to post
Share on other sites

Hi @Kamute,

Thanks for writing in.  

11 hours ago, Kamute said:

Can someone confirm if Enpass will be doing a security audit?

 

Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update.

I appreciate your patience in the meantime.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×