Jump to content
Enpass Discussion Forum

Don't store password of secondary vault.


Recommended Posts

Hello, I want to buy Enpass Premium, to be able to have multiple faults.

My Question is, is it possible, not to store the password of the secondary vault in the primary vault?
I don't need any auto unlock features. Entering the password every time, is perfectly fine.

This page indicates this is default:

"When you create multiple vaults, the passwords of other vaults are stored securely in the Primary vault and are removed when you delete the vault. That’s why when you unlock Enpass, all the vaults get unlocked automatically." - https://www.enpass.io/docs/manual-desktop/vault.html#vaults-in-enpass

Can this be changed?

I need different faults for work and private. I don't want any auto-unlock features or stored passwords for my work-data.

Link to post
Share on other sites

This is so bad, because secondary faults would be ideal to store crypto seeds. Client information... so information that is extremely critical.

When its key is stored in the primary vault, this means, it can be accessed with PIN or Touch-ID. Witch is not secure (and in a lot of cases, infringe compliance rules like ISO-norms and GDPR)

Edited by Anonym Potato
Link to post
Share on other sites

I can see how unlocking each vault separately might be appealing to some, but while it's technically more secure, practically speaking if you've unlocked Enpass, you've proven you're you, so why not have access to everything?

Having said that, I agree it should be a choice.

  • Like 1
Link to post
Share on other sites

Because this adds an single point of failure. If the primary password is leaked, everything is leaked. Because there is information with different kind of security levels, this is essential.

An other problem is, that in my company the use of PIN-codes and Biometric authentication like Touch-ID, is against the compliance we ensure customers. Also it is unsure if this is compliant with GDPR (because encryption keys are insufficient secured), which might result in fines up to 10.000.000 EUR (about 11.000.000 USD).

It is the same Problem with 1Password. I don't get why this is still a thing. At the moment I am simply using multiple password managers.

I hoped to be able to store everything in the same place. This features should not be so difficult to implement!
Why is this no problem for everyone?

  • Like 1
Link to post
Share on other sites

Ok. I just bought the App vor MacOS and iOS. I hope Sinew will fix this soon. Until then, I will have to continue paying for 1Password.
Why not add an feature like this as en add-on? I am sure there are a lot of people filling to pay 5€ to get more security.

It is really sad, because this might be such an ideal way to get away from this multiple password manager work around.

Link to post
Share on other sites
  • 5 weeks later...

I totally agree with AP,  i would like to see Enpass include an option to manually open vaults one at a time without auto opening everything as a default

My main use case here is that i have one vault which i regard as being mission critical and the other that i simply use for everyday use (i even have one i use for general notes). The mission critical vault contains banking and sensitive ID information and the other is less critical and is used more for convenience.

Furthmore, the financial stuff contains links and paswords to access quite a lot of money. I have the password to this vault commited to memory and it is lengthy. In the worst case scenario someone could easily use my fingerprint under force to acess this information while it is accessible by the master password/fingerprint.

I simply do not like opening the whole lot all the time, it makes me uneasy.
 

I may even have to rethink my secure storage if this isnt resolved.

Sorry Enpass, youve got a good (ish) user interface going on here but there is a massive security assumption that youve got completely wrong.

mat

 

Link to post
Share on other sites

I have found a workaround for this scenario mentioned above. Enpass, youre not going to like this though.

The only way to not have the master password opening the secondary vault is to simply delete the secondary vault when not in use then when i need it, resync it.

This is THE ONLY way that full security can be achived in enpass because in order to open the secondary vault :

1. i would need to enter the master passrd first

2. Then, enter the cloud storage password to access the DB

3. Then, i would need to unlock the secondary vault with the super strong password

 

So you see, the only way i can use Enpass securely is to not use it at all!!!

Come on people, surely you can see the madness in this?

 

mat

  • Like 1
Link to post
Share on other sites

I just moved to MiniKeePass.

This app is a bit outdated, but because of a working security model still a much more secure alternative.

It is really sad, but Enpass give no f** about security. Still no security audit for iOS, master keys stored on the flash memory, secondary keys stored in primary database.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...