Jump to content
Enpass Discussion Forum

Security audit


Recommended Posts

  • 6 months later...
  • 1 month later...

I've been following this thread for a good while. I'm responsible for recommending security tools for a large professional community in the UK.

I'm not currently able to recommend this product however passionate the developers might be.

In this thread there seems to be some conflation around security practices of:

1. the business itself with respect to penetration testing, security and integrity of the code (to prevent malicious code being added to source), process security (to defend against social engineering of the developers etc) and so on. 

2. the code base and architecture

It is not at all clear that good security practices are followed, that the staff are all well versed in any recognised international security standard, that they have a common code base, follow security by design principles, etc.

The fact that adding features, changing ui, etc can undermine the work of an audit is also worrying. Of course code changes can introduce new attack vectors and additional security bugs but there is no clear sense of the layers and modularity to the code base that would limit the risks.

I'm also not able to confirm that the programme itself supports and the developers recommend the use of strong two factor authentication particularly with physical based token devices like YubiKey, to access the data the programme is intended to protect.

I had hoped to be able to recommend this to our thousands of members and offer some small discount purchase incentive. We'd have recommended a subscription model to ensure ongoing security updates, maintenance and enhancements.

Unfortunately, I do not feel able to progress this further.

I wish the business and the development team all the best and hope you are able to mature the product and meet the modern security challenges in due course.


Link to comment
Share on other sites

  • 2 weeks later...

Hi @Grunt Futuk,

Thanks for your feedback.

We agree with you that a security-audit plays an important role for a password manager application, and we have planned one very soon down the line with the release of some exciting features.

To protect the integrity and sanctity of source code, its access is restricted and controlled by Gitlab. Not everyone can push any code in the production branch directly. Every merge request, comprising changes is closely reviewed to keep a check on bad practices and malicious activities. The critical security module is additionally reviewed by the senior team and CTO itself for security.

From the architecture ground, let me assure you that codebase is fully modularized. GUI specific code doesn't perform any cryptographic operations and acts as a client of our core-module which performs all the security-related operations and consists of various parts i.e. database, cryptography-module, network, etc. Our cryptography module is based on open-source SQlCipher and has not changed a bit from the last audit, even after the addition of the subscription model. The core-module is written in c++ and is shared by all platforms.

The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release. However, the users who store their data on their cloud accounts (iCloud, Google Drive, OneDrive, Dropbox, Box and WebDAV), usually enable 2FA on their cloud-accounts, protecting them from unauthorized downloading of Enpass data on other, unauthorized devices. Also, the users who want to add an additional layer with the master password can use a KeyFile which is required for unlocking Enpass.

We understand your concerns and always take them very seriously. Feedback of our beloved users is what keeps us motivated to make Enpass better every day.


Link to comment
Share on other sites

On 8/12/2020 at 4:14 PM, Ankur Gupta said:

The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release

I wouldnt even say no requirement but most common 2FA used in the web (TOTP, SMS, U2F) would be pure snakeoil as they couldnt contribute to the encryption in any way

Link to comment
Share on other sites

you need to read my message entirely, and in the context of enpass being an offline-first password manager.

for access to data online 2FA is totally useful and awesome, but if you have the data already like your enpass vault on your computer, TOTP and the likes cannot add to the encryption due to the dynamic nature of the codes.

you would need something like a smartcard with encryption keys for proper 2FA on offline data.

a code that is dependent on the time like on TOTP, or dependent on several factors on U2F cannot be used to add encryption since you cant get that same code/data later on to add that to decryption.

sorry for posting a link to my blog but I explained this in depth over there: https://blog.my1.dev/steganos-privacy-suite-19-is-a-joke


TOTP and many other dynamic code formats can literally only be used to allow or deny access to something, however when the data is already sitting there, just encrypted, there's nothing you can allow or deny, as you could just either hotwire the checks in RAM to skip that part or decrypt the wallet yourself outside the password manager

Edited by My1
  • Like 1
Link to comment
Share on other sites

  • 1 month later...

In another thread I read that 2FA is on the road map. Is there any more concrete information available like upcoming release or so?

Having 2FA available to login more secure into Enpass - for me it's an absolute essential feature for password managers in these times, no matter if they work online or offline. I would like to have something like a hardware token via NFC on my phone as an extra security option in addition to the master keyword. The optional key file itself - for me it's something like a device registration, because the key file i.e. is permanently 'integrated' into the mobile app.

When you have 2FA and periodically executed security audits, then Enpass will be my password safe further on.

Link to comment
Share on other sites

  • 1 month later...

Hi @Ankur Gupta, thank you for replying to this topic/thread...

I would like some further explanations from you on the security details / model...

Specifically since it was not tested by ISE, is Enpass ALSO vulnerable on Windows and Mac in the areas discussed in this article:




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...