As mentioned in the reference you cited, Enpass is used locally, on the machine you have it on. What scenario do you envision where MFA should be used?
MFA is useful whenever an imposter has the password, which could result from theft or phishing. Yes, MFA based on OTP or SMS are not sufficient.
Ideally, you should have a FIDO2 compliant (U2F) hardware key standing between your passwords and the world, including you (to prevent falling victim to a man-in-the-middle attack).
Compare and contrast the August 2022 attacks on Twilio vs Cloudflare.
How would a hardware key work with web sites that don’t apparently support them, like Social Security, Medicare, many major banks, etc.? I’m genuinely curious here–I can see using HW keys with specialized applications requiring very high security, but I don’t see their use with the sort of mass sites I mention above. But if there’s a way, I’d like to know it.
Yes, you are correct; U2F hardware keys can’t be used to log into sites that don’t support them. (That’s why I prefaced the remark you quoted with the word “Ideally,” which you did not include in your quote.)
Nevertheless, U2F may still help prevent unauthorized logins to your account on sites that do not support U2F. (Please note that I said “may”—as in “under some circumstances”—and not “will.”)
Did you read either of the articles that I linked to? Here’s the TL;DR synopsis.
Even if your Enpass password can’t be cracked, the passwords (to websites that do not support U2F) in your vault are still vulnerable to phishing attacks on YOU, the person who knows the Enpass password.
If such an attack involves a MITM, then U2F may thwart the attack and thus help secure your password to a website that does not support U2F.
For details, please see this article that I cited and scroll down to “U2F and Security Keys,” which begins with:
If the human is the biggest vulnerability in a phishing attack, then we should just remove the human in the process.
This is what U2F tries to do. We relieve the human the burden of identifying between fake and real sites. This is going to be taken care of by the YubiKey and the browser working together.
And later on:
The browser checks the certificates of the website, before it asks the security key to generate any codes. It makes sure doesn’t allow our fake website
lastpass.com.esto get codes forlastpass.com. This makes it difficult for a hacker to do a MITM attack. The site not only has to look like the legitimate site, but it also has to have to correct certificates.
And that’s why, in the article I cited, Twillio, which used OTP, was breached in August 2022 but Cloudflare, which used U2F, wasn’t.
If the password to the vault is good and the cryptography is implemented correctly, then the human who knows the vault password is the weak link. All that’s needed is a website login page that looks legitimate and this human will reveal the sought-after website password (even without a wrench 
).
In such cases, the risk is not whether the vault is in the cloud; the vault can not be cracked (without a quantum computer),
The risk is the human being phished.
2 Likes
Has anybody experience with PasswordBoss? How does it compare to those discussed here? I have been using PasswordWallet for years for local storage and KeyShare for passwords I need on multiple devices, but am looking at alternatives to have only a single program.
Robert
Just to mention this, because I don’t think that it really has been in this thread. If you are using only Apple OS devices and don’t use anything like Windows or Linux or Android, and you have iCloud turned on for your account, just need to store passwords and 2FA time-based token keys, I would consider, if you were switching from anything else, and you want something simple and reliable, thinking about just using the built-in password manager in iOS, iPadOS, and MacOS Safari (e.g., iCloud Keychain.) It uses strong end-to-end encryption, uses either your device password or biometrics to unlock, and is otherwise invisible to apps, Apple, etc., it suggests strong passwords, it’s super-simple to add two-factor TOTP keys from either a QR code or the actual key (e.g., use either the camera or right-click the QR code to add it to the password store). I’m still using and happy with 1Password, but for people who are less technical especially, who don’t want to fiddle with a third-party app and hope it works properly, it’s a really good choice these days.
1 Like
I agree that SMS is insufficient. Mostly due to the possibility of a SIM swap attack, where an attacker convinces your wireless carrier to transfer your phone number to his phone. He then gets your 2FA codes.
But I think OTP systems (like Google Authenticator) are just fine. You just need to be careful about what you click on and pay attention to the information your browser makes available (including the URL and the associated security certificates) so you don’t go providing it (along with your password) to a bogus site.
If you also use a password manager, it won’t provide a password to a fake site. Don’t second-guess it and manually type in anything if this happens and you won’t get far enough for it to ask for an OTP code.
The article you cite points this out as well.
I agree that taking the human out of the equation is a good idea for most people, who can’t or don’t want to go through the effort of being careful. This is most important for IT people, who manage less-capable users and can impose a policy on them.
For an individual, I think someone who understands the issue enough to want U2F for himself is also going to be careful enough to be OK with OTP.
But that’s just my opinion.
That’s a lot of “ifs” there. How many people do you know who are exclusively Apple users, who don’t have any other computers and don’t use any other web browsers?
2 Likes
For me, these missing features eliminate iCloud Keychain from consideration:
- Emergency Access by someone with power of attorney or other designation in case of injury, illness, stroke, etc. (Access by a Legacy Contact “requires a death certificate.”
- Legacy Access for an estate executor. (“A Legacy Contact beneficiary [does not gain] access to … the decedent’s … iCloud Keychain.”)
- Securely Sending or Sharing items in Keychain is not supported (as far as I know).
- Data Types Other than Passwords is are not supported (as far as I know). And not all credit cards can by added to the Wallet app and not all websites support Pay.
- Autofill is Restricted to Login Credentials and does include credit cards (as far as I know).
These are the requirements that push me into a paid service.
I’m learning toward Bitwarden but would accept other suggestions enthusiastically.
Well, me. Plus my wife, both my kids. My two sisters. Really, most of my family. A few people use Windows computers at work, but that’s a whole different thing.
I use Chrome for some things on my Mac (mostly just to access some Google accounts that I use less and less frequently, plus for an organization that I’m chair of the board, and my one professional client that I access maybe one day a month if something goes wrong) but it’s easy to copy and paste a password if I needed to. I also have FF on my Mac, just in case Safari isn’t working right and I want to check with another browser. Same, copy and paste would work fine, probably faster than keeping a physical notebook of written down passwords and looking them up.
Anyway, I’m thinking a lot of people who post here are Apple-only.
Even outside this forum these days fewer people even own computers and just use a phone and maybe a tablet as well. I know quite a few of those people. (Mostly my kids’ age.)
1 Like
After hearing BitWarden mentioned a number of times recently here & elsewhere, I took it for a spin. It does have useful features, it is open source, & peer reviewed. The quick deal-breaker for me was that (practically speaking) it requires you to put all your data in their cloud. As LastPass, 1Pv8 & many others do. You can’t maintain full control of your data as you can with a local data file. Some people (especially security professionals, but what do they know?) have mandates that do not permit their passwords to be stored in a cloud server. Whereas most of the commercial password managers currently available require that.
To be complete - BitWarden does offer an optional self-hosting server which I also looked at. But there is no BW Mac server version, only Linux & Windows, and almost all users will not have the skill set to install & maintain it. That why I say that practically speaking, the BW self-hosting option is off the table for almost everybody.
Enpassdoes let you maintain control over your passwords by saving your data in a local file. EnPass also supports many popular cloud services, folder sync, or local wifi sync. Your choice. Your passwords are never stored in a Enpass cloud. “Self-hosting” Enpass is trivial, just save the file to your local hard drive.
I’m trialing Enpass now and it has a full feature set. Many of the features that 1Password offers, except you can keep full control of your data if you want to. That’s a big one for me. I’m surprised that I haven’t seen Enpass mentioned more or more often reviewed against BitWarden & 1Password, actually I only heard of Enpass last week for the first time. I welcome other input pro or con, especially as I work toward making my selection of next password manager.
As a career IT professional managing thousands of passwords & data bits, I can’t afford for my password manager to be breached and I also need a strong useful feature set.
2 Likes
Actually that would be me. I have several Macs, an iPhone, iPad and Apple Watch. I have Firefox on my M1 MBP but honestly can’t remember ever using it.
Having said that, I use 1PW v7 but would prefer to not need it.
1 Like
For what it’s worth, me too. I use two Macs (MacBook Pro and iMac Pro), an iPhone and an iPad Pro. My wife uses only an iPhone. I rarely use any browser other than Safari. (Of course I don’t rely solely on keychain – I use 1Password 8, and am happy with it.) I am retired so I don’t have a separate work computer.
I actually know quite a number of people who use only Apple devices.
Type “Enpass” in the search window and at least a dozen threads discussing the app will pop up.
1 Like
Perhaps this year-old comparison of StrongBox, Bitwarden, and Enpass would interest you.
As I understand, Enpass has published only one security assessment by an independent party and it was of versions 5 and 6 for Android and Windows in 2018. As an IT professional, are you concerned with this level of transparency, especially given the errors disclosed in the report?
2 Likes
This idea of using the Apple keychain for everything hits the sweet spot for my significant other. I was looking at using a 1Password family plan, but she is very busy and doesn’t want to invest any time into learning to use a password manager or any other software unless unavoidable. She reminds me of Scotty in the Star Trek movie where he is speaking commands to a 9” screen Mac via its mouse. She is Apple only but there will be a few bumps to iron out such as passwords for Quicken. I am going to give it a whirl. 
As I understand, the new Unified (Beta) option for self hosting Bitwarden is built on Docker and since there is a macOS version of Docker, I’d guess that Bitwarden can be hosted on macOS.
Having said that, I agree that deploying self hosting (on any platform) is beyond the average user; it’s not something that I’d try.
1 Like
I’m somewhat inspired (well, at least motivated) to try and move all my 1PW logins to Apple’s Password and see how it goes.
It annoys me Apple has two locations for password management (Keychain Access and Settings/Passwords) and neither of them are in Applications like a ‘normal’ Apple app. Keychain Access could be put in the dock but its interface and functionality are terrible. You can move the Passwords setting to the dock by digging into System/Library/PreferencePanes but I don’t understand why they wouldn’t simply make it a standard app.
Apple Passwords requires a lot of futzing around which 1PW doesn’t - it’s just very clunky and unfriendly. Despite this, I’ll give it a go but I’m not too confident.
Yes, but in the main way I use an app like this - create a new login, or login to a site where I already have a password - it works fairly well to recognize the login, offer to create the password (or to save the password if you’ve filled it in for a site where you have an existing account), and does a good job recognizing a third party app on iOS to fill in the login.
And note that I was taking specially about iCloud Keychain, which on the Mac is in Safari’s password settings. Not Keychain access.
As I said, I don’t use it (in fact I’ve had passwords installed there from iOS that I recently made sure were in 1Password and cleared these out,) I need more from a password manager. Just to give an example, those sites that ask recovery questions when you create an account - I always create random words and store them manually in 1Password as extra fields. It means cut and paste when I need to fill them in, but that happens rarely. I also store a few secure notes in 1P, and email account details, passport info for the family (including scanned copies in case we need them if we travel), etc. But just for storing site user ids and passwords, including 2FA codes, it’s a nice what I’ll call entry-level system.
And there does appear to be a way to import a CSV password file on a Mac. I did a similar import when I started using 1Password when I moved from Lastpass 6 years ago.
- What prompted you to leave LastPass 6 years ago?
- What criteria lead you to choose 1Password?
I think I’ve mentioned this before, but
-
The sale of Lastpass to LogMeIn immediately made me want to switch to something else. I was super-worried that a company that wasn’t focused on a password manager, run by the people who designed it and managed it for years, would likely one day be a problem.
-
When I first bought a Mac in 2007, I wasn’t using a password manager, and I chose 1Password. But I switched to Lastpass in 2009 when I bought my first Android phone. At the time 1Password did not have a good solution for Android. So, I had a history with 1Password, and I like their model for cross-device sync, and I’d already switched to iPhone by then (though I believe that 1Password has a real solution for Android now, too.). At that point I probably also thought about doing a family plan for everyone, but I know my wife has no interest in it at all, so I don’t think that’s happening. She was a “write it in a notebook” person for a long time until she now has everything in iCloud Keychain.
When I imported everything into 1Pass in 2017, I spent time in Lastpass changing all of my user ID and password fields to the word “nothing”, erased all my secure notes, and left it for a bit, then erased everything from the account, then a week or so later deleted my account. I wanted to be absolutely sure that my data was worthless in case Lastpass didn’t really delete the account and somehow somebody had figured out how to hack into accounts. I wasn’t even thinking about backups being stolen.
2 Likes