April 16, 20188 yr 1 minute ago, Audit said: Dear Team, Concerned user here as well switching back to another solution untill the day you publish audit results Please make it happen! Because I like the software, but at this point I hesitate filling in any sensitive data.. Worried about backdoors and such. I’m keeping some of my information in Passpack, until an audit has been done.. I know we have to wait for the next version.
April 17, 20188 yr Author It has now been over a year and a half since I requested a security audit. Enpass staff has replied multiple times, making promises that they did not keep. Enpass has already given us an answer through their actions: there will be no security audit. You need to ask yourself why that is, and whether you are willing to use this security product without it. Based on what we've seen, posting on this forum will not change anything. I have unsubscribed from this post. Good luck, Gili
May 14, 20187 yr Can someone confirm if Enpass will be doing a security audit? If there will be no security audit, I will be leaving Enpass like@Gili and I will use a different password manager. The responsiveness of the staff tells me that security is not a really a top priority to Enpass (maybe a priority, but not a top priority). Edited May 14, 20187 yr by Kamute
May 15, 20187 yr Hi @Kamute, Thanks for writing in. 11 hours ago, Kamute said: Can someone confirm if Enpass will be doing a security audit? Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update. I appreciate your patience in the meantime.
May 17, 20187 yr On 5/15/2018 at 12:05 AM, Anshu kumar said: Hi @Kamute, Thanks for writing in. Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update. I appreciate your patience in the meantime. Thank you for responding, @Anshu kumar
June 12, 20187 yr As 1Password has changed their licensing policies I'm looking elsewhere for a more affordable solution and came across Enpass, as well as LastPass and DashLane. With 1Password numerous 3rd party audits are available on the internet, and also with DashLane I could find a pretty interesting 3rd party audit alas for an older version. For LastPass it was more difficult fo find such audits (although I did find several mentions of vulnerabilities) but I discovered hackergroups discussed the security of LastPass and appear to feel safe with it - that's a good second best for a security audit. So I started looking for a 3rd party audit onto Enpass and stumbled upon this discussion and got surprised about the reluctance of Enpass to have the 5 version audited. In my opinion it's just ridiculous to postpone an audit because of a new version is going to be launched. Why not having version 5 audited? Isn't it secure enough to be audited? I actually don't care about the last version of your software being audited. Audits are about gaining trust. I would be very interested to read 3rd party audits for any older version even though you might have several vulnerabilities in those fixed already. Each and every audit tells something about you, the company writing the software. If you are really serious about getting a 3rd party audit involved then do so immediately, with the current version of the software. Right now this discussion reads like a joke. I cannot take Enpass as a serious alternative to 1Password. I'd rather pay the hefty fees for 1Password.
June 12, 20187 yr @rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point. Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.
June 19, 20187 yr well finally we have some visible progress. the Beta of EP6 started, so now we have something to work with.
June 20, 20187 yr We are on it and the audit will start with the final Betas of Enpass. We assure you that the final release in the market will be duly audited. Thanks a lot for your patience and understanding.
July 1, 20187 yr I think one thing that would help at the VERY least, is to provide some insightful details about the types of cryptography going on here, and how it's handling that. Something LastPass also does is they provide reasonable levels of details about what they do, where it does it, and what algorithms are being used.\ For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used? I personally like the concept of Enpass. I'd like to know a little more what's under the hood of its design from a security standpoint. A lot of people can say, they use military grade AES-256 encryption, but HOW they implement it could completely break it in a snap. Some people here pointed out the country of origin. To me that is mostly immaterial. What is more important is security itself, and the fact is: Security Is Hard, as Steve Gibson himself always says on his podcast show, SecurityNow. Take a look at how LastPass describes what they do for security from a technical point of view: https://lastpass.com/whylastpass_technology.php
July 2, 20187 yr Hi @Psi-Jack, You can find more details about security and cryptography in Enpass here:https://www.enpass.io/security/https://www.enpass.io/docs/enpass-security-whitepaper/index.html 8 hours ago, Psi-Jack said: For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used? libsodium is being used for encrypting browser extension communication channel. It is present in /opt/Enpass/lib folder that's why running ldd on Enpass binary sayslibsodium.so.18 => not found which just means that ldd couldn't find the library in your system at standard locations.
July 2, 20187 yr btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?
July 2, 20187 yr Hi @My1, Thanks for writing in. Yes , windows version uses libsodium as well. You can see it alongside the main Enpass binary in installation folder. However if you have installed Enpass form Windows Store, it won't appear in a system search. Hope this helps!
July 2, 20187 yr as I am HEAVILY against W10 I can assure you that I dont have the store version. These are the folder views for enpass 5 and 6 respectively with no sodium to be found.
July 2, 20187 yr Hi @My1 Thanks for writing back. It seems that you are running an older version of Enpass Portable. The latest version is available here on the website. Please check and let us know. Cheers!
October 23, 20187 yr Good Morning everyone Almost four months without any update on this thread. So whats the status about the Security Audit? Cheers SwissIndoor
November 5, 20187 yr On 2/13/2017 at 2:02 PM, Hemant Kumar said: Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers! I feel this is extremely important, especially based on your industry. You need to show us, your users that trust you, that this trust is not misplaced. Now, I think it's been long enough that you have not had this done, and it needs to be done. I feel that most of this stuff you mentioned above has been implemented. You have also previously stated that security is #1. So then, can we please get a serious answer about this? Are you doing an audit? Who is doing it? When is it starting? When do you expect the results?
December 4, 20187 yr Hey there, I just created this account to chime in with others. I have been looking into the password manager options for a while and thought Enpass might be the best of all options out there for a number of reasons – not being subscription-based, opt-in cloud sync, competitive pricing, etc. Thus I was considering using Enpass as my default password manager. And then I came across this post. The current situation over the security audit being pushed back due to delayed releases of upcoming version 6 is quite problematic. This goes back to over 2 years ago now. One may wonder if this will ever happen. Alas, I come to the conclusion that I cannot use neither recommend this solution as of this writing. I suspect I may not be the only one keeping away from Enpass because of this reason. Perhaps you should consider the security audit as a business opportunity, even more so in the enterprise space, as a way to bring in more customers. I have no doubts of your intentions regarding the auditing of the software and wish you will proceed with it as soon as the next version is ready. Hopefully we can revisit Enpass in the future and recommend it to everyone looking for a great password management solution. In the meantime, keep up the good work and – Just do it! @Hemant Kumar, @Anshu kumar, @Akash Vyas, @Vinod Kumar, and the rest of the Enpass team.
December 5, 20187 yr 7 hours ago, justdoit said: Hey there, I just created this account to chime in with others. I have been looking into the password manager options for a while and thought Enpass might be the best of all options out there for a number of reasons – not being subscription-based, opt-in cloud sync, competitive pricing, etc. Thus I was considering using Enpass as my default password manager. And then I came across this post. The current situation over the security audit being pushed back due to delayed releases of upcoming version 6 is quite problematic. This goes back to over 2 years ago now. One may wonder if this will ever happen. Alas, I come to the conclusion that I cannot use neither recommend this solution as of this writing. I suspect I may not be the only one keeping away from Enpass because of this reason. Perhaps you should consider the security audit as a business opportunity, even more so in the enterprise space, as a way to bring in more customers. I have no doubts of your intentions regarding the auditing of the software and wish you will proceed with it as soon as the next version is ready. Hopefully we can revisit Enpass in the future and recommend it to everyone looking for a great password management solution. In the meantime, keep up the good work and – Just do it! @Hemant Kumar, @Anshu kumar, @Akash Vyas, @Vinod Kumar, and the rest of the Enpass team. +1
December 7, 20187 yr Agree 100% with justdoit - the longer this goes on the more suspicious people are getting. At this point, I'm out until this is resolved.
December 22, 20187 yr As a security auditor assistant every IT companies need to do security audit and need additional security certificate.. so every Member and user can under stand the security level .. also you have to show off PCI certificate in your site if you have.. so we can understand how much you take care about our data.. im an auditor and how much costly if any company breached data from their sites.. so please understand the requirements of security audit. every 3 to 5 years system audit required..
Create an account or sign in to comment