I’ve read that several people posting on TidBITS Talk are leaning towards using Enpass and I’m trying to evaluate it as a refuge from LastPass.
The main reason that I see cited in favor of Enpass and apparently the principal difference between it and most other popular password managers is that Enpass does not store your data on their own server. So, for example, a user can host their Enpass vault(s) on their choice of cloud service or even on their own local computer.
But, I’m troubled by what I perceive as a sparse history of third-party security assessments. As I understand, Enpass has published only a single security assessment by an independent party, which in 2018 assessed versions 5 and 6 for only Android and Windows. (Enpass’ current version on their website or the Mac App Store is 6.8.4, released on October 31, 2022.)
Should I be concerned about:
- Enpass’ level of transparency, or
- The significance of vulnerabilities uncovered in this review?
Does Enpass offer any significant differences from other popular password managers beyond the wide range vault hosting choices?
I don’t think I can really answer your questions (and I haven’t tried Enpass), but it does seem like there is another Windows assessment from July 2022 here: Security Audit Report - Enpass.
Thank you for citing this web page which indicates that there are two audit reports from 2022.
Unfortunately, I don’t see any links on that page to the reports themselves.
After a bit of searching, I found this, which seems to cover the 2022 audit reports:
Is anyone concerned by the findings?
It looks like the Acrobat icons on that page (Security Audit Report - Enpass) link to reports.
Yes, you are correct; the images in the last column are links to the reports.
That column was blank when I looked at this page on my iPhone in portrait view:
However, now I see that after turning my iPhone to landscape, the column displays the icons:
Sorry for any confusion that I caused.
Well, as the report summary states, “Generally speaking, Cure53 [the test company] gained a positive impression regarding the security posture of the Enpass client…” (I love reading pen-test reports.)
To answer your question for myself, I didn’t see anything of particular concern. On the other hand, they only tested the Windows client and the Enpass server backend.The one “high” level vulnerability is a hypothetical registration hack that could result in the escalation of privileges to those of a license level beyond that purchased. However, I’m a single user in a house, not a corporate user in a commercial building. So this form of privilege escalation doesn’t seem to pose a risk to me.
I’m about to switch permanently to Enpass after trying it for a few weeks. To me, any security vulnerability would have to revolve around what could a bad guy do if he were able to breach iCloud security (I use the iCloud sync model), or steal my phone or Mac and breach that security, and end up with a copy of my Enpass database. I didn’t see this specifically addressed in the test, but perhaps I missed it.
FWIW: I’ve been using Enpass for a year or two now, replacing 1Password. From a functional point of view, I’m very happy with it.
I too have Enpass having moved from 1Password after they moved to the Cloud, the LastPass debacle confirmed my choice
Are you doing local sync or using DropBox or another cloud? I really like the convenience of DB sync and since their copy is fully encrypted I’m not worried about somebody stealing the encrypted blob as I would have a long enough password to prevent anything but brute force attack. Local wifi sync is less convenient but still far easier than other alternative apps for that…and still one needs to adequately backup the encrypted data and copying it to DB or something gets one back into the cloud sync equivalent anyway. I also don’t like the no auto backups idea…you set up a destination for what the apps call automatic backups but there’s no scheduling to make them happen automatically. I asked them about this and it’s on their list of potential features to add…seems like a pretty trivial one to add. Enpass is what I will switch too if/when 1PW v7 quits working though.
I sync with iCloud. Encryption/decryption happens locally as you note. I too have a long complex master password.