Jump to content
Gili

Security audit

By Gili, in Data Security

Recommended Posts

hwsamuel    3

hwsamuel
Posted

Folks if you want a fully audited and open source tool with multi-platform support (desktop, phone, browser), why not go with Bitwarden? Downsides: mainly one dev, and uses it's own cloud hosting with Microsoft Azure. Everything has pros and cons.

PS - Am not affiliated with Bitwarden by the way, just a new user there.

  • Like 2

Share this post

Link to post
Share on other sites

Oscar A. Mata T.    0

Oscar A. Mata T.
Posted (edited)

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

Edited by Oscar A. Mata T.

Share this post

Link to post
Share on other sites

Brenku    2

Brenku
Posted
20 hours ago, hwsamuel said:

Folks if you want a fully audited and open source tool with multi-platform support (desktop, phone, browser), why not go with Bitwarden? Downsides: mainly one dev, and uses it's own cloud hosting with Microsoft Azure. Everything has pros and cons.

PS - Am not affiliated with Bitwarden by the way, just a new user there.

Because it took them so long to get the audit (we asked in this thread two year ago), the audit seemed rushed and possibly not in-depth enough, but also because of issues with support, issues during beta, and issues now with their new pricing model, I moved from Enpass to BitWarden.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

Sorry enpass. I couldn’t deal with you ignore my support requests, nor all the changes I mentioned above. 

Not affiliated with anyone. Just used enpass a long time. Tired of not getting anything I need from them. 

Share this post

Link to post
Share on other sites

Brenku    2

Brenku
Posted
7 hours ago, Oscar A. Mata T. said:

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

Share this post

Link to post
Share on other sites

tgcrypt    0

tgcrypt
Posted

I am a big fan of the enpass, I have the license for android, windows, and IOS, but when you see this audit left me very worried about the security of my data, I would like a more serious audit! The software is great please do not apologize who uses it and believe in your work !!!

Share this post

Link to post
Share on other sites

GoodbyeEnpass    0

GoodbyeEnpass
Posted

I am leaving Enpass due to this poor security audit and new pricing model. I honestly do not believe that my data is secure with Enpass due to this pathetic audit. They are obviously hiding something.

Share this post

Link to post
Share on other sites

Vinod Kumar    93

Vinod Kumar
Posted

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

  • Like 1

Share this post

Link to post
Share on other sites

My1    8

My1
Posted
1 hour ago, GoodbyeEnpass said:

I am leaving Enpass due to this poor security audit and new pricing model.

What new pricing model? Did they start using subscriptions or what? 

1 hour ago, Vinod Kumar said:

Please help me understand what is wrong with security audit.

I would guess that especially this part stands out a lot:

On 12/28/2018 at 10:19 PM, djohannes said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

Share this post

Link to post
Share on other sites

tgcrypt    0

tgcrypt
Posted
On 1/4/2019 at 4:34 PM, Vinod Kumar said:

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

Hi @Vinod Kumar

I think what @My1 quoted " 

Quote
On 1/4/2019 at 6:16 PM, My1 said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

" would be the most pertinent part, although many people should only have passwords used on a daily basis, many who pay for the license have passwords and sensitive data, server passwords and bank details, that is a very very serious.

Share this post

Link to post
Share on other sites

mushroom_daddy    1

mushroom_daddy
Posted (edited)

A thorough & robust security audit really should be a prerequisite for any company selling password repository software.

On the face of it Enpass is great software, but if it has security holes than people will worry and start to look elsewhere. The recent report (highlighting recovery of master passwords) is not exactly reassuring, and also seems rather limited in scope to specific platforms.

Quote

The overall technical risk for Enpass based on the Security Assessment and the impact of discovered vulnerabilities is Medium ...

--- During the testing of the Enpass apps, VerSprite found that it was possible to recover the primary Vault's master password from memory for both Windows and Android apps

I will continue to watch this discussion with interest  ...

Edited by mushroom_daddy
  • Like 1

Share this post

Link to post
Share on other sites

mushroom_daddy    1

mushroom_daddy
Posted (edited)
32 minutes ago, Vinod Kumar said:

Hi @mushroom_daddy,

The vulnerability you quoted had been resolved (remediated). Please see page no. 5 of audit report.

Thanks.

That's good to know. Thank you for the clarification. 

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Edited by mushroom_daddy

Share this post

Link to post
Share on other sites

Hemant Kumar    56

Hemant Kumar
Posted

Hi @mushroom_daddy

23 hours ago, mushroom_daddy said:

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Sure, we do have plans to get the macOS and iOS apps audited as soon as add the important feature requests like Favicons, WiFi sync etc . It's just a matter of time. Please bear with us.

23 hours ago, mushroom_daddy said:

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Agreed! but we can't do it very frequently as it is time consuming and costly process.

Thanks for your understanding!

Share this post

Link to post
Share on other sites

zyghom    19

zyghom
Posted

most of the features you are working now are cosmetic changes (I believe) - not new functionality related to the security

so audit could be done on major releases 

yes, it is costly

but yes, it buys the Customers

  • Like 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Data Security
×