Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,667
    I am getting used to the double clicking now as well. Still may give Bitwarden a shot for kicks. Nice that Enpass was added to HMP.A's protection list. :)
     
  2. Stigg

    Stigg Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    450
    Location:
    Dededo, Guam
    What's the double clicking for? Sorry, I may have missed something. :doubt:
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,552
    Location:
    Among the gum trees
    With Enpass it doesn't auto-fill the login fields until you click on the extension, then double click on the login.
     
  4. Stigg

    Stigg Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    450
    Location:
    Dededo, Guam
    Thanks for the tip, Krusty. That's a good security feature.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,552
    Location:
    Among the gum trees
    They have now and explained there was a holiday n India (Rakshabandhan) and apologised for taking so long. I thought that was cool.

    Of course, their suggestion to solve the auto-start bug I had on two machines was to reinstall the application, but I'd tried that already. Anyway, as mentioned earlier, that problem is resolved.

    So far I haven't tried Enpass's auto-save feature, so today I logged into my Netgear modem/router but Enpass didn't save the login. Will have to keep an eye on this with real websites and see how it handles them. :doubt:
     
  7. Stigg

    Stigg Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    450
    Location:
    Dededo, Guam
    Enpass is a very nice password manager, and the application works so nicely with browser extensions. I think I'm hooked. :shifty:
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,552
    Location:
    Among the gum trees
    :thumb: Cool! Me too.
     
  9. Stigg

    Stigg Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    450
    Location:
    Dededo, Guam
    I see that you had startup problems, and I thought that I may get them also, but startup worked fine for me. Nothing to do, just install and away I went.
     
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    Does URL matching ensure that password manager stored website credentials will match the intended, correct, legit website.
    I mean does URL spoofing (any nasty manipulation) present the possibility that password manager stored website credentials find the not intended, not correct, not legit website.

    Will creds intended for https:// anysitedotcom fill http:// anysitedotcom.
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    KeePass 2.37 available
    https://keepass.info/news/n171012_2.37.html
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    FWIW ~ LastPass and Enpass told me, they employ domain name matching.
    Curious, does domain name matching ensure.....password manager stored credentials will only fill the intended, correct, legit, safe website.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
    As long as nobody hacked their DNS and redirected to a fake server, sure.
     
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    Well, I did ask LastPass and Enpass about >
    http://www.securitysupervisor.com/security-q-a/network-security/195-what-is-dns-spoofing
    http://www.securitysupervisor.com/security-q-a/network-security/262-what-is-url-spoofing

    LastPass ticket support would not go off script.
    Enpass on follow up offered.
    Thanks for the reply and sharing your thoughts.

    DNS spoofing:
    This is out of the scope of Enpass. Enpass doesn't match IP. Internet security is a stack of various sub-systems. Each one has its own responsibility. It relies on that OS, browser and network admin in LAN has adequate measures to counter DNS spoofing.

    URL spoofing:
    Enpass depends upon browser for telling what domain it is requesting autofill for.
    The URL looks similar to the user on browser address bar but it is still not the exact same. Enpass will match that URL domain with the one you saved for your autofill item and it is defiantly going to fail for phishing URLs.
    i.e, mydomain.com login item will not autofill in mydomain.net,myd0main.com.

    Protocol:
    Regardless of protocol, a domain is always owned by the same person. Enpass does not restrict you from auto filling in HTTP pages. A modern browser is smart enough to tell you that you are browsing an insecure website. Though it will be a good addition to Enpass if we can warn before autofilling.

    Hope this answers your queries.
    Best regards
    Enpass Support Team
    Occasionally, I'll check IP address. Do you?
     
    Last edited: Oct 12, 2017 at 11:27 AM
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
    I honestly do not. Just about any logon these days is from a SSL page and if the IP address is wrong there will be certificate issues and if the browser does not warn me (which I'm sure it will) then I expect my security suite will. If the page is not SSL then there are multiple issues there and I probably would be checking.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    I'm checking page while holding login credentials under my control since, I suspect domain name matching & autofill are more convenience than security. Just me. Thanks
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
    Absolutely a convenience. Probably not much security about it. That said, I think it is far more likely that the site itself will get hacked and your credentials stolen from them than for the DNS to get hijacked and your credentials stolen from you upon entering.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    < hacked and credentials stolen > in the same sentence :(
    source: KeePass discussion.
     
    Last edited: Oct 12, 2017 at 9:13 PM
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,538
    Location:
    USA
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    Thanks for the reply.
    Neither Enpass nor the OS knows the IP address of domains you entered in your browser and can't verify it. They can't maintain a record of millions of domains and their IP. IPs of a domain are not constant. IP related to a domain's service and can change any time e.g., on change of hosting provider etc.
    Your system depends upon a chain of DNS servers to get IP of the particular domain.
    As I said earlier, Internet security is a stack of various sub-systems. Each one has its own responsibility.
    Here Enpass has to trust the browser, the browser has to trust the OS and OS have to trust the DNS servers.
    Best regards
    Enpass Support Team
    Guess, there's no need for me to check IPs anymore.
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
    I've been using it all day. Seems fine.
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,333
    Location:
    USA
    I see their point. It's all still very unlikely. There are easier ways for someone to get that info from you. And there are less computer literate people they can steal data from. Not reusing passwords is probably one of the easiest and most effective things you can do.
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,642
    Location:
    .
    Okay.....all the spoofing speak, piqued my curiosity. Thanks for all your help.
     
    Last edited: Oct 13, 2017 at 4:38 PM
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,538
    Location:
    USA
    I just installed it in Firefox 56 and it looks fine at first glance. Do you find that all of the core functionality is there? Any instability or gaps? TIA
     
Loading...