I am getting used to the double clicking now as well. Still may give Bitwarden a shot for kicks. Nice that Enpass was added to HMP.A's protection list.
With Enpass it doesn't auto-fill the login fields until you click on the extension, then double click on the login.
They have now and explained there was a holiday n India (Rakshabandhan) and apologised for taking so long. I thought that was cool. Of course, their suggestion to solve the auto-start bug I had on two machines was to reinstall the application, but I'd tried that already. Anyway, as mentioned earlier, that problem is resolved. So far I haven't tried Enpass's auto-save feature, so today I logged into my Netgear modem/router but Enpass didn't save the login. Will have to keep an eye on this with real websites and see how it handles them.
Enpass is a very nice password manager, and the application works so nicely with browser extensions. I think I'm hooked.
I see that you had startup problems, and I thought that I may get them also, but startup worked fine for me. Nothing to do, just install and away I went.
Does URL matching ensure that password manager stored website credentials will match the intended, correct, legit website. I mean does URL spoofing (any nasty manipulation) present the possibility that password manager stored website credentials find the not intended, not correct, not legit website. Will creds intended for https:// anysitedotcom fill http:// anysitedotcom.
FWIW ~ LastPass and Enpass told me, they employ domain name matching. Curious, does domain name matching ensure.....password manager stored credentials will only fill the intended, correct, legit, safe website.
Well, I did ask LastPass and Enpass about > http://www.securitysupervisor.com/security-q-a/network-security/195-what-is-dns-spoofing http://www.securitysupervisor.com/security-q-a/network-security/262-what-is-url-spoofing LastPass ticket support would not go off script. Enpass on follow up offered. Spoiler: Enpass offered Thanks for the reply and sharing your thoughts. DNS spoofing: This is out of the scope of Enpass. Enpass doesn't match IP. Internet security is a stack of various sub-systems. Each one has its own responsibility. It relies on that OS, browser and network admin in LAN has adequate measures to counter DNS spoofing. URL spoofing: Enpass depends upon browser for telling what domain it is requesting autofill for. The URL looks similar to the user on browser address bar but it is still not the exact same. Enpass will match that URL domain with the one you saved for your autofill item and it is defiantly going to fail for phishing URLs. i.e, mydomain.com login item will not autofill in mydomain.net,myd0main.com. Protocol: Regardless of protocol, a domain is always owned by the same person. Enpass does not restrict you from auto filling in HTTP pages. A modern browser is smart enough to tell you that you are browsing an insecure website. Though it will be a good addition to Enpass if we can warn before autofilling. Hope this answers your queries. Best regards Enpass Support Team Occasionally, I'll check IP address. Do you?
I honestly do not. Just about any logon these days is from a SSL page and if the IP address is wrong there will be certificate issues and if the browser does not warn me (which I'm sure it will) then I expect my security suite will. If the page is not SSL then there are multiple issues there and I probably would be checking.
I'm checking page while holding login credentials under my control since, I suspect domain name matching & autofill are more convenience than security. Just me. Thanks
Absolutely a convenience. Probably not much security about it. That said, I think it is far more likely that the site itself will get hacked and your credentials stolen from them than for the DNS to get hijacked and your credentials stolen from you upon entering.
LastPass has a beta add-on for Firefox 57: https://blog.lastpass.com/2017/10/lastpass-beta-firefox-57.html/
Nice to see them finally making a public statement and offering the beta. I will check it out on one of my test machines.
Spoiler: more from Enpass Thanks for the reply. Neither Enpass nor the OS knows the IP address of domains you entered in your browser and can't verify it. They can't maintain a record of millions of domains and their IP. IPs of a domain are not constant. IP related to a domain's service and can change any time e.g., on change of hosting provider etc. Your system depends upon a chain of DNS servers to get IP of the particular domain. As I said earlier, Internet security is a stack of various sub-systems. Each one has its own responsibility. Here Enpass has to trust the browser, the browser has to trust the OS and OS have to trust the DNS servers. Best regards Enpass Support Team Guess, there's no need for me to check IPs anymore.
I see their point. It's all still very unlikely. There are easier ways for someone to get that info from you. And there are less computer literate people they can steal data from. Not reusing passwords is probably one of the easiest and most effective things you can do.
I just installed it in Firefox 56 and it looks fine at first glance. Do you find that all of the core functionality is there? Any instability or gaps? TIA