Jump to content
Enpass Discussion Forum

Security audit


Gili

Recommended Posts

On 8/12/2020 at 4:14 PM, Ankur Gupta said:

The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release

I wouldnt even say no requirement but most common 2FA used in the web (TOTP, SMS, U2F) would be pure snakeoil as they couldnt contribute to the encryption in any way

Link to comment
Share on other sites

you need to read my message entirely, and in the context of enpass being an offline-first password manager.

for access to data online 2FA is totally useful and awesome, but if you have the data already like your enpass vault on your computer, TOTP and the likes cannot add to the encryption due to the dynamic nature of the codes.

you would need something like a smartcard with encryption keys for proper 2FA on offline data.

a code that is dependent on the time like on TOTP, or dependent on several factors on U2F cannot be used to add encryption since you cant get that same code/data later on to add that to decryption.

sorry for posting a link to my blog but I explained this in depth over there: https://blog.my1.dev/steganos-privacy-suite-19-is-a-joke

 

TOTP and many other dynamic code formats can literally only be used to allow or deny access to something, however when the data is already sitting there, just encrypted, there's nothing you can allow or deny, as you could just either hotwire the checks in RAM to skip that part or decrypt the wallet yourself outside the password manager

Edited by My1
  • Like 1
Link to comment
Share on other sites

  • 1 month later...

In another thread I read that 2FA is on the road map. Is there any more concrete information available like upcoming release or so?

Having 2FA available to login more secure into Enpass - for me it's an absolute essential feature for password managers in these times, no matter if they work online or offline. I would like to have something like a hardware token via NFC on my phone as an extra security option in addition to the master keyword. The optional key file itself - for me it's something like a device registration, because the key file i.e. is permanently 'integrated' into the mobile app.

When you have 2FA and periodically executed security audits, then Enpass will be my password safe further on.

Link to comment
Share on other sites

  • 1 month later...

Hi @Ankur Gupta, thank you for replying to this topic/thread...

I would like some further explanations from you on the security details / model...

Specifically since it was not tested by ISE, is Enpass ALSO vulnerable on Windows and Mac in the areas discussed in this article:

https://threatpost.com/1password-dashlane-keepass-and-lastpass/142037/

THANK YOU.
Sincerely,

Emmanuel.

Link to comment
Share on other sites

  • 4 months later...
  • 3 weeks later...
  • 6 months later...
On 4/28/2021 at 12:58 PM, Pratyush Sharma said:

Hi @el613

I understand your concern regarding the security audit and appreciate your keenness towards Enpass.

We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features.

So now Nov'2021 - would be unreasonable to ask for a progress update on the Security Audit that will be completed 'this year'?

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

bump. The year is over & is now 2022...

I've been lurking around Enpass for years, hoping that you might realise that without a security audit happening at regular intervals, then the product can't really be taken seriously and be recommended to others.
You have a nice app and the functionalty is good. This means that I want to be able to recommend it, but your consistent lax security protocols always leave me wondering "why?"

What gives with no regular security audits (every year or two)?
The codebase should be stable enough to ensure that any features don't create critical or major security issues.

Link to comment
Share on other sites

  • 2 weeks later...
  • 3 months later...

This is a joke.

On 4/28/2021 at 1:58 PM, Pratyush Sharma said:

Hi @el613

I understand your concern regarding the security audit and appreciate your keenness towards Enpass.

We agree with you that a security-audit plays an important role for a password manager application, and we have planned one for this year itself down the line with the release of some exciting features.

Its been more than 1 year. When is it planned?

Link to comment
Share on other sites

  • 1 month later...
  • Moderator changed the title to Repeat Audit
4 hours ago, Mohit Thapa said:

Hello all,

I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms.

Thanks for your patience.

Excellent. Well done!

Glad to see that few remarks.

The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service?

Link to comment
Share on other sites

 

23 minutes ago, Ivarson said:

The HTTP-service mentioned I presume is the WiFi-Sync-part, which isn't utilized if one doesnt use wifi sync nor start the Service?

WiFi sync is a different service than this. The http service mentioned is used by mobile apps for manual vault "Backup and Restore over Wi-Fi".  Just because Enpass Core part (C++) is shared across all platforms, buffer overflow was found in source code audit.

Desktop apps do not use this service.

  • Like 1
  • Thanks 2
Link to comment
Share on other sites

On 7/18/2022 at 10:31 AM, Mohit Thapa said:

Hello all,

I am excited to share that recently Enpass has been audited for security of the Windows App. The complete audit report is available here on our website. Soon we’ll be starting the process for rest of the platforms.

Thanks for your patience.

While the audits are generally positive, various vulnerabilities were noted by the auditors; have these vulnerabilities been addressed and remediated? The audit reports make no mention of this happening...

Link to comment
Share on other sites

@LM77

Thank you for your question. I would like to draw your attention to the fact that on every 'Identified Vulnerabilities' found in the Audit report, a note is provided by the team (like what actions have been taken by Enpass developers to rectify it).

E.g., if you look at the 'Enpass Windows App and Admin console for Business', Page-08:
ENP-01.thumb.png.14422609b3bbd098e56f152e9fbe8e57.png

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...