After seeing a tweet from someone able to get a master password from a memory dump on Linux, I tried it my self and was able to get a password from a locked database. This is on Windows 10 running creators update.

Here is a screenshot.

Wow, this is pretty serious...

Hi @ctrl_alt_pasta

Thanks for writing in. We are aware of this issue, and are on it to fix it very soon.

When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like  key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC.

But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. 

Meanwhile, we request our beloved users to please bear with us.

4 hours ago, Vikram Dabas said:

Hi @ctrl_alt_pasta

Thanks for writing in. We are aware of this issue, and are on it to fix it very soon.

When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like  key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC.

But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. 

Meanwhile, we request our beloved users to please bear with us.

Thank you for the response.

Hi @ctrl_alt_pasta

The issue was fixed in version 5.5.3. 

Cheers!

Hi Anshu kumar,

nice to hear that this issue is fixed in version 5.5.3.

But what is with the portable version 5.3.0.

Does this portable-version have that issue too?

And if when do you fix this security-bug?

Hi @ussamkusser

Thanks for writing in. Yes, the portable version also had this issue but the good news is that it has already been fixed. An update of the portable version is already in the testing phase and will be available soon. Till then I request you to please bear with us.

Hello @Anshu kum,

thanks for your very fast response and the good news that a new portable version is coming soon