Anshu kumar Posted July 19, 2019 Report Share Posted July 19, 2019 Hi @Magnus_Carlsen, Thank you for reaching out to us. The correct or rather the more accurate question would be, does Enpass intend to create such a backdoor to steal customer passwords in the future. The answer would be a straightforward no. As a business, Enpass has larger goals that would benefit from securing customer data ( since we are a security company), and not from stealing it. We have complete control over the queries originated from Enpass to servers and what it entails. Furthermore, we have abundant users who happen to be experts in security domain who are more than capable of identifying any such misadventure just by looking at the URL connections created by Enpass and what it contains. Lastly, we get regular 3rd party audits, whose reports are available on our website. Please check out the link here. Thanks! 2 Link to comment Share on other sites More sharing options...
Magnus_Carlsen Posted July 22, 2019 Report Share Posted July 22, 2019 (edited) Thank you very much for your quick reply Anshu, Although I want to believe what you are saying but I cannot help to ask these questions. Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this. Security Audit is convincing but it has been done on 18/11/18, That is 9 months ago. I'm assuming you will be doing another security audit in 3 months. Anshu, Please don't get me wrong - I want Enpass to be one of the biggest password managers while killing those ridiculously expensive subscription-based password managers. I believe Enpass can be that company but first and foremost, you have to ensure there are no question marks in people's minds regarding security. Edited July 22, 2019 by Magnus_Carlsen Link to comment Share on other sites More sharing options...
Hemant Kumar Posted July 25, 2019 Report Share Posted July 25, 2019 Hi @Magnus_Carlsen Thanks a lot for liking Enpass and sharing your thoughts with us. I do understand your concern about the security of your data. You can be assured that here at Enpass, we are always on our toes making sure that Enpass stays secure and trustworthy for our users. It as only for the peace of mind of everyone that we switched to use SQLCipher (an open-source engine for cryptography) a while back. I also understand that by only using an open-source technology in software, one can't vouch for overall security of software. It's more about the implementation and interaction with and around the SQLCipher. To check how prudent Enpass is, in dealing with your data saved in SQLCipher, we got the first audit done for version 6. I do agree with you that it's been 9 months since then and Enpass has been updated a couple of times after that, and as a user you would like to see audits happen more frequently. Even though we at Enpass, share the same desire of frequent audits to gain credence with our user base, its recurring cost is just not viable at current stage. However, we assure you that our future plans aim to cover these drawbacks and deliver audits at a more frequent pace. On 7/22/2019 at 8:30 AM, Magnus_Carlsen said: Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this. I take your point that if Enpass would have been open source, you would have checked the code by yourself for your satisfaction from security perspective and we would not need to pay for audits as well. But in reality, the possibility of your data at risk would stay the same if you install the binaries downloaded from our website and app store accounts. Furthermore majority of Enpass users would not have time to compile the source for all platforms, sign it and then use. At the end of the day, it all comes down to the intentions of the software provider and whether they are actually using the same source code in software as published. I am not saying that companies following the open source practice are not trustworthy but just want to communicate that we are working with benign intentions and would favor getting the audits done more frequently that going for open source. I hope that helps in answering your queries. Link to comment Share on other sites More sharing options...
Ivarson Posted July 25, 2019 Report Share Posted July 25, 2019 Good respone @Hemant Kumar, but I think another thing is the sellingpoint of Enpass. While some other password manager have their sourcecode opened, they offer subscriptions, onlinestorage and/or sync of the vaults. Enpass moto is "No subscription" and "...nothing is stored on our servers". What enpass has is a good piece of software especially considering the cross-plattform UXP with clients for a broad range of operating systems. While it still lacks autotype, it's still unbeatable at being everywhere; from Linux desktop all the way to my wrist. Opening up the code completely would lead to numeruos forks on Github in no time, and the golden egg wouldn't..well there would be more eggs.. And, sure the third fork could have a oneliner backdoor implemented, but that applies to all software on github. IMHO it's fully understandable if Enpass having 25 employees with paychecks working hard on numeruos platforms wants to keep an ace in their sleeve, it's just happens to be one of the _worst_ software categories to keep behind closed bars nowadays :-) While I was one of those asking for an audit, which you did (kudos again), perhaps you could still conscider opening parts up in a distant future. For instance, in version 6, core and UI is written separately, perhaps you could open up the core code, leaving GUI propriertary? Or, open up core+UI but leverage some extra parts only through licensed stores which you're already doing (Pro). E.g Enpass could be available FOSS on Github, but the cloudsync would only be available on your site, (still free for desktops) 1 Link to comment Share on other sites More sharing options...
Magnus_Carlsen Posted July 26, 2019 Report Share Posted July 26, 2019 Good answer @Hemant Kumar and even better reply @Ivarson. No need to repeat what Ivarson said above, he laid out an amazing roadmap for Enpass. If you can make that happen, it will open new horizons for Enpass. Please consider this. Link to comment Share on other sites More sharing options...
modelator Posted September 5, 2019 Report Share Posted September 5, 2019 (edited) 3 years have passed, I reread all the posts on this topic.Tell me, is it safe to use Enpass? Are there any spyware programs installed in the applications? How good is encryption in Enpass? Are all the issues found in Lastpass fixed every year? Fixed this problem? (Remediated) Cleartext Storage of Sensitive Information in Memory(Windows)(CWE-316) –Medium (Partially Remediated) Cleartext Storage of Sensitive Information in Memory(Android)(CWE-316) –Medium Edited September 5, 2019 by modelator Link to comment Share on other sites More sharing options...
modelator Posted September 16, 2019 Report Share Posted September 16, 2019 I do not know why cure53 are so reputable. But VPN applications and password managers have a good reputation after their security audits. I suspect their audit costs a lot of money. However, I believe that this will take Enpass to a new level. https://github.com/pomerium/awesome-security-audits Have you thought about this? Link to comment Share on other sites More sharing options...
Fabian1 Posted September 16, 2019 Report Share Posted September 16, 2019 Me too. And where is the audit for iOS and MacOS? Link to comment Share on other sites More sharing options...
Fabian1 Posted September 19, 2019 Report Share Posted September 19, 2019 Dear Enpass Team, do you plan an audit for ios? Best regards. Link to comment Share on other sites More sharing options...
Sam van der Kris Posted November 14, 2019 Report Share Posted November 14, 2019 I've been using Enpass for a while now and I really like it. I bought premium for both Windows and Android. However, I'm kind of concerned about the security. I know there was a third-party audit, but in the meantime there could have been new vulnerabilities that we don't know about. Open-sourcing Enpass would make it much more secure. Besides, contributions from the community could improve the app even further. And there's no need to worry about income, there will still be plenty of people who will pay for the premium version because it's much easier than compiling the app from source for every update. And the people who would rather compile from source than pay for it probably weren't going to be paying for the premium version either way (and just pirate it instead or something). I know that this is not an easy decision to make, but I would really appreciate it if you guys would seriously consider open-sourcing Enpass. I think it would be better for everyone. Thank you. 2 Link to comment Share on other sites More sharing options...
Fabian1 Posted November 18, 2019 Report Share Posted November 18, 2019 +1 Link to comment Share on other sites More sharing options...
Fabian1 Posted November 18, 2019 Report Share Posted November 18, 2019 Still no answer to this very important question. Not a good sign to trust. Link to comment Share on other sites More sharing options...
Kashish Posted November 18, 2019 Report Share Posted November 18, 2019 Hey @Fabian1, We understand your concern regarding the security audit and appreciate your keenness towards Enpass. Over the last few months, we have been involved in charting out plans for the transition into a new business model. The security audit was postponed as the new subscription model required distinct app functionality, and a security audit earlier would stand useless for the new app. Once the new app version is released, we'll zero-in on the pending security audit. Thanks. Link to comment Share on other sites More sharing options...
Fabian1 Posted November 19, 2019 Report Share Posted November 19, 2019 Thank you for quick response. Link to comment Share on other sites More sharing options...
Insert Real Name Posted November 22, 2019 Report Share Posted November 22, 2019 (edited) Why not simply open-source (under a suitably restrictive license regarding commercial reuse) the actual cryptography algorithms, libraries and related code used in the application? That allows competent people to review the cryptography and subject it to whatever testing is necessary, while preserving the intellectual and commercial property inherent in a for-profit company. Granted security issues could well be elsewhere in the application code, but I think it's going a bit far to think that just open-sourcing the whole application is going to attract the kind of thorough external audit that actually needs to be done at regular intervals. In fact, regular external audits of the whole application really *are* necessary, in addition to disclosures about the cryptography used. It would be great if Enpass is willing to invest that kind of money and publish the results! UPDATE: I overlooked the other thread in this forum section about planned external security audits. Let's hope Enpass makes those a regular milepost in their plans! Edited November 22, 2019 by Insert Real Name More reading... Link to comment Share on other sites More sharing options...
MisterT Posted November 23, 2019 Report Share Posted November 23, 2019 I also support the idea of OpenSourcing the code (security, confidence, reliability,...) Enpass is providing a valuable support, new features and bug correction that require regular updates. As mentioned above by @Sam van der Kris, I'm pretty sure business model will continue, even in Opensource mode. People are ready to pay for a service (package, support,...), even if source code is available. Of course, not at any price ! But as long as this price is reasonable, OpenSource model will allow that. Thanks again for this excellent product ! 1 Link to comment Share on other sites More sharing options...
starlight Posted November 24, 2019 Report Share Posted November 24, 2019 I think after the subscription model has started and a more sustainable form of income is secured, Enpass should consider having intensive audits regularly, as that, indeed, is a very important point. 1 Link to comment Share on other sites More sharing options...
Fabian1 Posted March 8, 2020 Report Share Posted March 8, 2020 I have the impression that the Enpass team is sleeping. Almost nothing happens here. No bug fixes, no promised changes take place, no updates and no real improvements for a long time. The developers will only talk and that the fee will be collected every month... Some examples: Where are the common templates? Why I can't still create templates from entries? Why hasn't the bug with the ghost sections that cannot be deleted been fixed for more than 6 months? Why Enpass is working with a PIN after restarting my smartphone? 1Password requires the master password for security reasons. The Enpass team promised to change that months ago. Where is the option to use fingerprint and PIN at the same time? When will there finally be a new independent audit? This has been promised for more than a year! If you are also dissatisfied, please answer this complaint with "+1". 1 1 Link to comment Share on other sites More sharing options...
EdBrady Posted March 12, 2020 Report Share Posted March 12, 2020 I agree - Enpass has gone downhill since the release of v6. The bugs that never get fixed are bad enough. Now that they've broken OneDrive syncing for the second time, I'm looking for an alternative. Link to comment Share on other sites More sharing options...
Pratyush Sharma Posted March 17, 2020 Report Share Posted March 17, 2020 @Fabian1, We understand that there are requests pending since long. However, we're working to improve the app with each version. With version 6.4, we've catered to the long-awaited user's request for OneDrive sync for Business. We've forwarded the list of feature requests to our dev team for further thoughts and consideration. Thanks. Link to comment Share on other sites More sharing options...
rawbert Posted June 11, 2020 Report Share Posted June 11, 2020 What’s the latest on this topic? Link to comment Share on other sites More sharing options...
Vincent91 Posted June 18, 2020 Report Share Posted June 18, 2020 +1 1 Link to comment Share on other sites More sharing options...
Garima Singh Posted June 19, 2020 Report Share Posted June 19, 2020 Hey All, Thanks for using Enpass and sharing this suggestion to us. We really appreciate you for exploring the app and giving time in writing this valuable suggestion. The suggestion has been noted and forwarded to the development team. Thanks for the suggestion! Link to comment Share on other sites More sharing options...
Grunt Futuk Posted July 31, 2020 Report Share Posted July 31, 2020 I've been following this thread for a good while. I'm responsible for recommending security tools for a large professional community in the UK. I'm not currently able to recommend this product however passionate the developers might be. In this thread there seems to be some conflation around security practices of: 1. the business itself with respect to penetration testing, security and integrity of the code (to prevent malicious code being added to source), process security (to defend against social engineering of the developers etc) and so on. 2. the code base and architecture It is not at all clear that good security practices are followed, that the staff are all well versed in any recognised international security standard, that they have a common code base, follow security by design principles, etc. The fact that adding features, changing ui, etc can undermine the work of an audit is also worrying. Of course code changes can introduce new attack vectors and additional security bugs but there is no clear sense of the layers and modularity to the code base that would limit the risks. I'm also not able to confirm that the programme itself supports and the developers recommend the use of strong two factor authentication particularly with physical based token devices like YubiKey, to access the data the programme is intended to protect. I had hoped to be able to recommend this to our thousands of members and offer some small discount purchase incentive. We'd have recommended a subscription model to ensure ongoing security updates, maintenance and enhancements. Unfortunately, I do not feel able to progress this further. I wish the business and the development team all the best and hope you are able to mature the product and meet the modern security challenges in due course. Link to comment Share on other sites More sharing options...
Ankur Gupta Posted August 12, 2020 Report Share Posted August 12, 2020 Hi @Grunt Futuk, Thanks for your feedback. We agree with you that a security-audit plays an important role for a password manager application, and we have planned one very soon down the line with the release of some exciting features. To protect the integrity and sanctity of source code, its access is restricted and controlled by Gitlab. Not everyone can push any code in the production branch directly. Every merge request, comprising changes is closely reviewed to keep a check on bad practices and malicious activities. The critical security module is additionally reviewed by the senior team and CTO itself for security. From the architecture ground, let me assure you that codebase is fully modularized. GUI specific code doesn't perform any cryptographic operations and acts as a client of our core-module which performs all the security-related operations and consists of various parts i.e. database, cryptography-module, network, etc. Our cryptography module is based on open-source SQlCipher and has not changed a bit from the last audit, even after the addition of the subscription model. The core-module is written in c++ and is shared by all platforms. The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release. However, the users who store their data on their cloud accounts (iCloud, Google Drive, OneDrive, Dropbox, Box and WebDAV), usually enable 2FA on their cloud-accounts, protecting them from unauthorized downloading of Enpass data on other, unauthorized devices. Also, the users who want to add an additional layer with the master password can use a KeyFile which is required for unlocking Enpass. We understand your concerns and always take them very seriously. Feedback of our beloved users is what keeps us motivated to make Enpass better every day. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now