Jump to content
jankkm

Master password unlocks all vaults

Recommended Posts

This is something I already mentioned on the macOS thread but since it is more about the general design of Enpass I decided to open a new thread about it.

It seems like with the support of multiple vaults you took the approach that 1password took as well to let the user unlock all his vaults with one master password which is the password of the primary vault. Am I right so far?

Now, I think for some users this might be a good solution but for me one  reason for using multiple vaults is that I want to have one or more vaults that I only want to unlock very rarely because the passwords are sensitive and/or not often used. The way that Enpass6 works now, it makes it a little better because I can sync my default vault and store the "sensitive" one only locally but I think you should give us, the users, more of a choice here.

I am very interested how others think about this.

Share this post


Link to post
Share on other sites
4 minutes ago, chiwou said:

does the other vault also unlocks even with a different password?

No, only the password of the primary vault is able to unlock everything. The passwords of the other vaults seem to be stored encrypted with the password of the primary vault.

edit:

sorry I think I got you wrong but my answer should still help. The vaults have different passwords but if you unlock the primary vault every vault is unlocked.

Edited by jankkm

Share this post


Link to post
Share on other sites

its happening with me also on Windows 10 that master password unlocking all vaults although passwords for other vaults are different, please fix this issue otherwise its no use to have multiple vaults.

Share this post


Link to post
Share on other sites

I don‘t believe that this is a bug, they probably designed it this way. It would be good to get a statement from Enpass here though.

Share this post


Link to post
Share on other sites

Hey @jankkm 

Thanks for the input.

I would like to share that Enpass 6 is designed to be used for a single user who is using different vaults to manage his personal and work data. So unlocking of other vaults with the Primary vault makes sense.

Further, it is only the Primary vault where the passwords of other vaults get stored so that you don't have to remember them, and that goes well with the purpose of Enpass. When you unlock the Primary vault, all other vaults get unlocked by fetching their passwords from the Primary vault. 

On 9/23/2018 at 10:09 PM, jankkm said:

The way that Enpass6 works now, it makes it a little better because I can sync my default vault and store the "sensitive" one only locally

For this, you can create a second vault and keep its sync disabled. You don't need to worry about the storage of its password in the Primary vault as it is encrypted with the master password of your Primary vault and no one can access it without the master password of the primary vault.

Thanks!

Share this post


Link to post
Share on other sites
5 hours ago, Anshu kumar said:

Hey @jankkm 

Thanks for the input.

I would like to share that Enpass 6 is designed to be used for a single user who is using different vaults to manage his personal and work data. So unlocking of other vaults with the Primary vault makes sense.

Further, it is only the Primary vault where the passwords of other vaults get stored so that you don't have to remember them, and that goes well with the purpose of Enpass. When you unlock the Primary vault, all other vaults get unlocked by fetching their passwords from the Primary vault. 

For this, you can create a second vault and keep its sync disabled. You don't need to worry about the storage of its password in the Primary vault as it is encrypted with the master password of your Primary vault and no one can access it without the master password of the primary vault.

Thanks!

Thank you @Anshu kumar for clarifying that this is the way you want to go with Enpass.

I still don't agree that it makes sense in every case and also about not having to worry about security. With this design every vault is only as secure as the primary vault passphrase wise. You are right that I can disable sync for a vault which means it is secure on the storage device/service I am syncing with but on my PC/Mac I have to use a passphrase on the primary vault that is at least as secure as the passphrases of the other vaults if I don't want to sacrifice security.

I think this doesn't make sense because the passphrase of the primary vault is the one I have to type in very frequently so I don't want it to be too complicated and long but if the more complex passphrase of a separate vault is stored in that primary vault, again, the added security of the separate vault is gone (again, only locally).

Also I like to use the PIN after typing in the passphrase once which weakens security in favor of convenience. It would be irresponsible to do this if the security of every vault depends on that PIN.

I think it shouldn't be too hard to allow vaults that have to be unlocked individually and it would help a lot!

I hope you understand my concerns and think about this again. Especially considering that 1Password has exactly the same weakness and quite a few users who are unhappy with it (https://discussions.agilebits.com/discussion/56271/individual-unlocking-of-secondary-vaults-gone-in-1password-6).

Edited by jankkm
  • Like 1

Share this post


Link to post
Share on other sites

I totally agree with Jankkm, please give as option to unlock secondary vaults with their own passwords or with master vault password.

Share this post


Link to post
Share on other sites

I would argue that as creating as there is an option when creating a vault to store the vault password in the master vault (i.e. you can chose not to), and it is possibly to delete the vault password entry later (and presumably also re-create it), I would argue that automatic unlocking of secondary vaults should be based on which passwords are stored in the master vault.

i.e. if a secondary vault password is store in the master vault, then that secondary vault is automatically unlocked; if the secondary vault password is not stored, then that secondary vault is not automatically unlocked.

Matthew

Share this post


Link to post
Share on other sites

@Anshu kumar

I agree with @mdovey also, and strongly encourage some thought in providing the option to store vault passwords in the master vault or or not to provide better flexibility and security. Thanks for your consideration.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×