Jump to content
Anonym Potato

Don't store password of secondary vault.

Recommended Posts

Hello, I want to buy Enpass Premium, to be able to have multiple faults.

My Question is, is it possible, not to store the password of the secondary vault in the primary vault?
I don't need any auto unlock features. Entering the password every time, is perfectly fine.

This page indicates this is default:

"When you create multiple vaults, the passwords of other vaults are stored securely in the Primary vault and are removed when you delete the vault. That’s why when you unlock Enpass, all the vaults get unlocked automatically." - https://www.enpass.io/docs/manual-desktop/vault.html#vaults-in-enpass

Can this be changed?

I need different faults for work and private. I don't want any auto-unlock features or stored passwords for my work-data.

Share this post


Link to post
Share on other sites

For the moment it would be enough if multiple passwords would be only possible on the phone (iOS). One the computer I don't have to manage multiple faults (separated personal and work pc)

Share this post


Link to post
Share on other sites

AFAIK by default you have to confirm if you’d like to store the password items of your secondary vaults in your main vault. But for now the Master Password unlocks all the other vaults, too. 

Share this post


Link to post
Share on other sites

I don't know, maybe because of the comfort reasons. But you're right that there should be at least an option to prevent the automatically unlock process of all the other vaults with the main Master Password.

Share this post


Link to post
Share on other sites

This is so bad, because secondary faults would be ideal to store crypto seeds. Client information... so information that is extremely critical.

When its key is stored in the primary vault, this means, it can be accessed with PIN or Touch-ID. Witch is not secure (and in a lot of cases, infringe compliance rules like ISO-norms and GDPR)

Edited by Anonym Potato

Share this post


Link to post
Share on other sites

I can see how unlocking each vault separately might be appealing to some, but while it's technically more secure, practically speaking if you've unlocked Enpass, you've proven you're you, so why not have access to everything?

Having said that, I agree it should be a choice.

  • Like 1

Share this post


Link to post
Share on other sites

Because this adds an single point of failure. If the primary password is leaked, everything is leaked. Because there is information with different kind of security levels, this is essential.

An other problem is, that in my company the use of PIN-codes and Biometric authentication like Touch-ID, is against the compliance we ensure customers. Also it is unsure if this is compliant with GDPR (because encryption keys are insufficient secured), which might result in fines up to 10.000.000 EUR (about 11.000.000 USD).

It is the same Problem with 1Password. I don't get why this is still a thing. At the moment I am simply using multiple password managers.

I hoped to be able to store everything in the same place. This features should not be so difficult to implement!
Why is this no problem for everyone?

  • Like 1

Share this post


Link to post
Share on other sites

Ok. I just bought the App vor MacOS and iOS. I hope Sinew will fix this soon. Until then, I will have to continue paying for 1Password.
Why not add an feature like this as en add-on? I am sure there are a lot of people filling to pay 5€ to get more security.

It is really sad, because this might be such an ideal way to get away from this multiple password manager work around.

Share this post


Link to post
Share on other sites

I totally agree with AP,  i would like to see Enpass include an option to manually open vaults one at a time without auto opening everything as a default

My main use case here is that i have one vault which i regard as being mission critical and the other that i simply use for everyday use (i even have one i use for general notes). The mission critical vault contains banking and sensitive ID information and the other is less critical and is used more for convenience.

Furthmore, the financial stuff contains links and paswords to access quite a lot of money. I have the password to this vault commited to memory and it is lengthy. In the worst case scenario someone could easily use my fingerprint under force to acess this information while it is accessible by the master password/fingerprint.

I simply do not like opening the whole lot all the time, it makes me uneasy.
 

I may even have to rethink my secure storage if this isnt resolved.

Sorry Enpass, youve got a good (ish) user interface going on here but there is a massive security assumption that youve got completely wrong.

mat

 

Share this post


Link to post
Share on other sites

I have found a workaround for this scenario mentioned above. Enpass, youre not going to like this though.

The only way to not have the master password opening the secondary vault is to simply delete the secondary vault when not in use then when i need it, resync it.

This is THE ONLY way that full security can be achived in enpass because in order to open the secondary vault :

1. i would need to enter the master passrd first

2. Then, enter the cloud storage password to access the DB

3. Then, i would need to unlock the secondary vault with the super strong password

 

So you see, the only way i can use Enpass securely is to not use it at all!!!

Come on people, surely you can see the madness in this?

 

mat

  • Like 1

Share this post


Link to post
Share on other sites

I just moved to MiniKeePass.

This app is a bit outdated, but because of a working security model still a much more secure alternative.

It is really sad, but Enpass give no f** about security. Still no security audit for iOS, master keys stored on the flash memory, secondary keys stored in primary database.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...