Jump to content
Magnus_Carlsen

Can Enpass see my passwords

Recommended Posts

My questions is simple and straight forward. I was not able to find a clear answer to this question. 

I know that I am storing my passwords on my own local storage which makes it way safer than cloud based managers. My question is, Can Enpass get my passwords? We are using Enpass platform at the end of the day. Can they build a back door in the application that allows them to get our passwords? 

Dont get me wrong I love Enpass, But I want to make sure that I'm safe. 

Cheers, 

 

 

Share this post


Link to post
Share on other sites

Hi @Magnus_Carlsen,

Thank you for reaching out to us. 

The correct or rather the more accurate question would be, does Enpass intend to create such a backdoor to steal customer passwords in the future. The answer would be a straightforward no. As a business, Enpass has larger goals that would benefit from securing customer data ( since we are a security company), and not from stealing it. We have complete control over the queries originated from Enpass to servers and what it entails. 
Furthermore, we have abundant users who happen to be experts in security domain who are more than capable of identifying any such misadventure just by looking at the URL connections created by Enpass and what it contains. 
Lastly, we get regular 3rd party audits, whose reports are available on our website. Please check out the link here

Thanks!

  • Thanks 2

Share this post


Link to post
Share on other sites

Thank you very much for your quick reply Anshu, 

Although I want to believe what you are saying but I cannot help to ask these questions.

  1. Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this. 
  2. Security Audit is convincing but it has been done on 18/11/18, That is 9 months ago. I'm assuming you will be doing another security audit in 3 months. 

Anshu, Please don't get me wrong - I want Enpass to be one of the biggest password managers while killing those ridiculously expensive subscription-based password managers. I believe Enpass can be that company but first and foremost, you have to ensure there are no question marks in people's minds regarding security. 

 

 

Edited by Magnus_Carlsen

Share this post


Link to post
Share on other sites

Hi @Magnus_Carlsen

Thanks a lot for liking Enpass and sharing your thoughts with us. I do understand your concern about the security of your data. You can be assured that here at Enpass, we are always on our toes making sure that Enpass stays secure and trustworthy for our users. 
It as only for the peace of mind of everyone that we switched to use SQLCipher (an open-source engine for cryptography) a while back. I also understand that by only using an open-source technology in software, one can't vouch for overall security of software. It's more about the implementation and interaction with and around the SQLCipher. To check how prudent Enpass is, in dealing with your data saved in SQLCipher, we got the first audit done for version 6. I do agree with you that it's been 9 months since then and Enpass has been updated a couple of times after that, and as a user you would like to see audits happen more frequently. 

Even though we at Enpass, share the same desire of frequent audits to gain credence with our user base, its recurring cost is just not viable at current stage. However, we assure you that our future plans aim to cover these drawbacks and deliver audits at a more frequent pace.  

On 7/22/2019 at 8:30 AM, Magnus_Carlsen said:

Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this.

I take your point that if Enpass would have been open source, you would have checked the code by yourself for your satisfaction from security perspective and we would not need to pay for audits as well. But in reality, the possibility of your data at risk would stay the same if you install the binaries downloaded from our website and app store accounts. Furthermore majority of Enpass users would not have time to compile the source for all platforms, sign it and then use. At the end of the day, it all comes down to the intentions of the software provider and whether they are actually using the same source code in software as published. I am not saying that companies following the open source practice are not trustworthy but just want to communicate that we are working with benign intentions and would favor getting the audits done more frequently that going for open source. 

I hope that helps in answering your queries.

Share this post


Link to post
Share on other sites

Good respone @Hemant Kumar, but I think another thing is the sellingpoint of Enpass.

While some other password manager have their sourcecode opened, they offer subscriptions, onlinestorage and/or sync of the vaults.

Enpass moto is "No subscription" and "...nothing is stored on our servers".

What enpass has is a good piece of software especially considering the cross-plattform UXP with clients for a broad range of operating systems.

While it still lacks autotype, it's still unbeatable at being everywhere; from Linux desktop all the way to my wrist.

Opening up the code completely would lead to numeruos forks on Github in no time, and the golden egg wouldn't..well there would be more eggs..

And, sure the third fork could have a oneliner backdoor implemented, but that applies to all software on github.

IMHO it's fully understandable if Enpass having 25 employees with paychecks working hard on numeruos platforms wants to keep an ace in their sleeve, it's just happens to be one of the _worst_ software categories to keep behind closed bars nowadays :-)

While I was one of those asking for an audit, which you did (kudos again), perhaps you could still conscider opening parts up in a distant future.

For instance, in version 6, core and UI is written separately, perhaps you could open up the core code, leaving GUI propriertary?

Or, open up core+UI but leverage some extra parts only through licensed stores which you're already doing (Pro).

E.g Enpass could be available FOSS on Github, but the cloudsync would only be available on your site, (still free for desktops)

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...