DOCSLIB.ORG

Enpass User Manual - Android Version 6.7

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Enpass User Manual - Android version 6.7 Enpass Technologies Inc. August 19, 2021 Contents User Manual 1 Introduction to Enpass 1 Prerequisites 1 Getting Started 1 As a new user 4 As an existing user 6 Import Passwords from Other Sources 6 Master password 6 Keyfiles 6 Generating the keyfile 7 Adding the keyfile 7 Removing keyfiles 7 Registration 7 Adding and Managing items 9 Adding Item 9 Adding One-Time Code 10 Adding Attachments 12 Attach Photo 12 Attach file 12 View Attachment 12 Delete Attachment 12 Tags 13 Tagging items 13 From Edit page 13 From Sidebar 13 Nested Tags 14 Editing Tags 14 Untag an Item 14 Deleting and Archiving 14 Trash 14 Archive 15 Duplicating Item 15 Customizing Fields 15 Editing field type 15 Adding fields 16 Re-ordering Fields 16 Deleting fields 17 Field History 17 Customizing Password Fields 18 Exclude from Audit 18 Set Password Expiry 18 Sensitive 18 Adding Section 18 Customizing icons 18 Using website icons 18 Enabling website icons for a particular site: 19 Using your own images as custom icons 19 Changing Category 20 Search 20 Sort By 21 Title 21 Url 21 Created Date 22 Modified Time 22 Recently Used 23 Frequently Used 23 Moving Items to Other Vaults 23 Checking Compromised Passwords 23 Checking Individual Password 23 Checking All Passwords 24 How does it work? 25 What to do if you have Compromised Passwords? 25 Change Password Immediately 25 Enable Two-Factor Authentication 25 Regularly keep a check on Passwords’ Health 25 Using Password Generator 25 Generating Passwords 25 Pronounceable Passwords 25 Random Passwords 26 Password History 27 Password history of an item 27 History of all the passwords 27 Password Strength 27 Syncing Data 27 Cloud Sync 27 Supported clouds 28 Setup Cloud Sync 28 Cloudless Sync 28 Wi-Fi Sync 28 Folder Sync 28 Set up Folder Sync 28 Sync Timings 29 Time Stamps 29 Autofilling Passwords 29 Checking Password Health 30 Websites 30 Breached 30 2FA Supported 31 Passwords 31 Compromised Passwords 32 Identical Passwords 32 Weak Passwords 33 Expired Items 33 Expiring Soon 34 Password Generator 34 Organization 34 Marking Favorites 34 From detail screen 34 From favorite list 34 Using Tags 35 Using Categories 35 Hide Category 35 Change Category 35 Add custom categories and templates 35 Using Multiple Vaults 35 Share 35 Sharing 35 Normal sharing 36 Encrypted with Pre-shared Key 36 Adding a shared item 37 Adding by opening link 37 Adding through clipboard 38 Share Attachment 38 Vaults in Enpass 39 Primary Vault 39 Multiple Vaults 39 When to use 39 Cloud Setup 39 Sharing a Vault 39 Adding the shared vault 40 Passwords of Vaults 40 Backup and Restore 40 Taking backup 40 Restoring backup 40 Over Wi-Fi 40 From local storage 41 Restore from Cloud 41 Settings Overview 42 Registration status 42 Lock Now 42 Working with vaults 42 For Single Vault users 42 Managing Multiple Vaults 43 Always Open to 43 Always Save Items to Vault 43 Create Vault 43 Changing Vault settings 43 Change Vault Password 44 Set up Cloud Sync 44 Set up Folder Sync 44 Set up Wi-Fi Sync 44 Backup 45 Over Wi-Fi 45 On Device 45 Vault Info 45 Show Password 45 Remove Vault 45 General 45 Unlock Sound 46 Use Dark Theme 46 Use Website Icons 46 Show Items Count in Sidebar 46 Search in All Items 46 Hide Categories 46 Security 46 Change Master Password 46 Auto Locking 47 Lock After 47 Lock on Leaving 47 PIN 48 Change PIN 48 Fingerprint 48 Hide Sensitive 49 Clear Clipboard 49 Enpass for Android Watch 49 Enabling Enpass for Android Watch 49 Adding items 49 Security 50 Advanced 50 Sharing 50 Add a PSK 50 Backup 50 Over Wi-Fi 50 On Device 50 Check Clipboard on Startup 50 Erase Everything 51 Allow Screenshots 51 Language 51 Check for Alerts 51 Enpass Family Membership 51 Enpass for Chromebooks 51 Autofilling in Chromebooks 51 Installing Enpass Extension 51 Enable Autofilling 52 Using Enpass Extension 53 Autofilling Logins 53 Autofilling Credit Cards 54 Saving New Logins 55 Updating Existing Logins 56 Searching items 57 Generating Passwords 58 Autofilling in Android Apps 59 User Manual User Manual Enpass Version– 6.7 Welcome to the Enpass user manual for Android. This user guide describes how you can use Enpass to easily and securely manage your passwords, credit cards, bank accounts, and other confidential items. You will also find tips that help you make use of the wider capabilities of Enpass. Introduction to Enpass Enpass is a simple and secure app to take care of your passwords and other credentials. It lets you securely save every kind of information using existing templates. Whether it’s passwords, logins, bank accounts, credit cards, National ID, Passport and more. All this data will be encrypted by a master password. You can also generate a unique and robust password with a single tap, and you don’t need to remember them as Enpass can fill them automatically in apps and browsers. All your data is saved offline on your device, and you can rest easy knowing we offer military grade encryption. You can even sync across your multiple devices using your cloud accounts. Enpass is cross-platform and is available for all major platforms from your desktop to your smartphone. Prerequisites From version 6.7 onwards, Enpass requires Android 5.0 or later. Getting Started If you have purchased Enpass on a platform, we recommend you register your purchase. The purpose of registration is to link your purchase with a valid email address so that you don’t have to buy it separately on all platforms. This section will show you how to activate/restore your Enpass license across multiple platforms via following steps: 1. Click on Active Enpass. 2. Enter your registered email address. 1 User Manual 3. Verify it via OTP 2 User Manual 3. Once verified, the app will restore the license linked with the registered email address. 3 User Manual As a new user If you’re a new user, you first need to set up a master password before adding any items. Enpass encrypts all your data with the master password. Read more about master passwords. To create a master password, follow these steps: 1. On the Welcome screen of Enpass, tap Start for free. 4 User Manual 2. Create your master password and tap Continue. Note This is the only password you need to remember. Because you need it to open/unlock Enpass, keep the master password safe and secure. You can select a few settings here for a quick setup. You are now a trial user of Enpass and can add up to ten items. See Adding items. 5 Master password By registering, you can remove this limit. As an existing user If you are an existing user of Enpass, you would be having your data somewhere, either on any cloud where you have synced before or a local backup of data. You can directly restore that data from a Backup File or from a cloud. • Open Enpass. On the Welcome screen you can see the option, Restore existing data. Tap to continue. Restore data using your cloud service provider. You will require the master password for this. Import Passwords from Other Sources It might be possible that you already have some passwords saved in other password managers, browsers, CSV files, etc. You can install Enpass on your desktop to import data from other sources and use cloud sync to seamlessly synchronize data in Enpass between the desktop and mobile. Master password Enpass encrypts all your data using the master password. You also unlock the app with it. Make the masterpassword strong. If you lose it, we cannot help you recover it. Write it down and store it in a safe, secure place. For tips on creating a strong password, see this blog post. Caution! The master password is irrecoverable. If you forget the master password, it can not be retrieved by any means. Keyfiles Advanced users can add another layer of security by using a keyfile with the password. Enpass appends the characters in the keyfile to the password and uses them together to encrypt your data. To add a keyfile to your android device you need to: 1. Generate the keyfile 6 Registration 2. Add it to your Android device. Generating the keyfile You need to generate keyfiles from Enpass on your desktop. See generating keyfiles. Adding the keyfile To add a keyfile, follow these steps: 1. From Enpass on your android device, tap Settings > Security > Change master password. 2. In the Change password screen, tap the More options button at the top right (The More options menu button will display only if the vault has a keyfile). 3. To add the keyfile: • Tap Scan keyfile, and scan the QR code from your desktop (See generating QR code.) • Tap Choose keyfile if you have transferred the keyfile by other means. 4. Enter the master password again. 5. Tap Done. Important Keep the keyfile safe and secure as you will not be able to log in to Enpass without it. It is also irrecoverable- so backup all your keyfiles. If you have created multiple vaults and added keyfiles to them, you will need them to open these vaults. Removing keyfiles To remove keyfiles, use Enpass on your desktop (See removing keyfiles). Registration Registration in Enpass is the process to link your Enpass purchase with your email ID. This helps to restore your purchase on other platforms for free. To register your purchase, follow these steps: • On the Settings screen, tap your registration status at the top of the screen.
Recommended publications
  • Keepass Password Safe Help

    Keepass Password Safe Help

    KeePass Password Safe KeePass: Copyright © 2003-2011 Dominik Reichl. The program is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative. For more information see the License page. Introduction Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. He would have access to your e-mail account, website, etc. Unimaginable. But who can remember all those passwords? Nobody, but KeePass can. KeePass is a free, open source, light-weight and easy-to-use password manager for Windows. The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another. KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Website, etc.). You can drag&drop passwords into other windows. The powerful auto-type feature will type user names and passwords for you into other windows. The program can export the database to various formats. It can also import data from various other formats (more than 20 different formats of other password managers, a generic CSV importer, ...). Of course, you can also print the password list or current view. Using the context menu of the password list you can quickly copy password or user name to the Windows clipboard.
  • Password Managers an Overview

    Password Managers an Overview

    Peter Albin Lexington Computer and Technology Group March 13, 2019 Agenda One Solution 10 Worst Passwords of 2018 Time to Crack Password How Hackers Crack Passwords How Easy It Is To Crack Your Password How Do Password Managers Work What is a Password Manager Why use a Password Manager? Cloud Based Password Managers Paid Password Managers Free Password Managers How to Use LastPass How to Use Dashlane How to Use Keepass Final Reminder References March 13, 2019 2 One Solution March 13, 2019 3 10 Worst Passwords of 2018 1. 123456 2. password 3. 123456789 4. 12345678 5. 12345 6. 111111 7. 1234567 8. sunshine 9. qwerty 10. iloveyou March 13, 2019 4 Time to Crack Password March 13, 2019 5 Time to Crack Password March 13, 2019 6 Time to Crack Password March 13, 2019 7 Time to Crack Password Time to crack password "security1" 1600 1400 1200 1000 Days 800 Days 600 400 200 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Year March 13, 2019 8 How Hackers Crack Passwords https://youtu.be/YiRPt4vrSSw March 13, 2019 9 How Easy It Is To Crack Your Password https://youtu.be/YiRPt4vrSSw March 13, 2019 10 How Do Password Managers Work https://youtu.be/DI72oBhMgWs March 13, 2019 11 What is a Password Manager A password manager will generate, retrieve, and keep track of super-long, crazy-random passwords across countless accounts for you, while also protecting all your vital online info—not only passwords but PINs, credit-card numbers and their three-digit CVV codes, answers to security questions, and more … And to get all that security, you’ll only need to remember a single password March 13, 2019 12 Why use a Password Manager? We are terrible at passwords We suck at creating them the top two most popular remain “123456” and “password” We share them way too freely We forget them all the time We forget them all the time A password manager relieves the burden of thinking up and memorizing unique, complex logins—the hallmark of a secure password.
  • Technical Guides

    Technical Guides

    Technical Guides KeePass Password Manager Tutorial Wireguard Ubuntu Deployment SQM for 1 Gbps Lines With OpenWrt KeePass Password Manager Tutorial Introduction I don't trust online password managers because they are closed source and companies have been hacked in the past. If you look up "lastpass breached" in Google you can see my point. Keepass is open source and offline. Why put your trust in a company when you can create and access the database yourself? An honorable mention is bitwarden. They are also open-source and you have the option of hosting your own bitwarden server at home as an option. If you want to pay and are willing to trust a company and have your passwords encrypted on their cloud they would be your best bet. Downloading Keepass https://keepass.info/download.html Get the Installer for Windows (2.45) aka KeePass-2.45-Setup.exe. After you get it install Keepass. Recommended plugins (.plgx) to download: Keepass has a variety of useful plugins listed here: https://keepass.info/plugins.html I recommend the following below for now. Plugins always have a .plgx file extension. WebAutoType-v6.3.0.zip: https://sourceforge.net/projects/webautotype/files/ YetAnotherFaviconDownloader.plgx: https://github.com/navossoc/KeePass-Yet-Another- Favicon-Downloader/releases After you downloaded the necessary .plgx plugins. Copy or move them into the Plugins folder at C:\Program Files (x86)\KeePass Password Safe 2\Plugins. 1.1.1 Master Password To start off you will be creating a master password which is the masterkey to access all your other passwords.
  • Password Managers

    Password Managers

    Studying the Impact of Managers on Password Strength and Reuse Sanam Ghorbani Lyastani∗, Michael Schilling†, Sascha Fahl‡, Sven Bugiel∗, Michael Backes§ ∗CISPA, Saarland University, †Saarland University, ‡Leibniz University Hannover, §CISPA Helmholtz Center i.G. Abstract—Despite their well-known security problems, pass- applications. Password managers are being recommended as a words are still the incumbent authentication method for virtually solution because they fulfill important usability and security all online services. To remedy the situation, end-users are very aspects at the same time: They store all the users’ passwords often referred to password managers as a solution to the pass- word reuse and password weakness problems. However, to date so the users do not have to memorize them; they can also help the actual impact of password managers on password security users entering their passwords by automatically filling them into and reuse has not been studied systematically. log-in forms; and they can also offer help in creating unique, In this paper, we provide the first large-scale study of the random passwords. By today, there are several examples for password managers’ influence on users’ real-life passwords. From third party password managers that fit this description, such 476 participants of an online survey on users’ password creation and management strategies, we recruit 170 participants that as Lastpass [5], 1Password [1], and even seemingly unrelated allowed us to monitor their passwords in-situ through a browser security software, such as anti-virus [4] solutions. plugin. In contrast to prior work, we collect the passwords’ entry Unfortunately, it has not been sufficiently studied in the past methods (e.g., human or password manager) in addition to the whether password managers fulfill their promise and indeed passwords and their metrics.
  • HACK Enpass Password Manager

    HACK Enpass Password Manager

    1 / 2 HACK Enpass Password Manager Mar 23, 2021 — So, is this password manager right for you or your business? In our Enpass review, we'll take a closer look at everything this software has to offer.. Results 1 - 100 of 338 — TOTP is an algorithm that computes a one-time password from a shared secret ... codes to protect your online accounts from hackers (bad guys). ... code in my password manager, especially for password managers that can ... Segregate data using Multiple vaults Enpass facilitates you with an option to .... Jan 9, 2019 — Password manager company OneLogin was actually hacked, and the ... EnPass: Here's something unusual—a password manager that goes .... Use Enpass audit tools to identify weak, identical, and old passwords. Your password manager is your digital security best friend. You are using a password .... The Synology Disk Station Manager (DSM) is the Operating System (OS) that runs on your Synology unit. ... a prerequisite while using Enpass it is not really neccessary to me to sync with CloudStation. ... For iOS 13/12 users: Open the Settings app > Passwords & Accounts > Add Account > Other ... Mikrotik hack github.. We will send a One-time password (OTP) to your registered email address and ... set of Enpass users by letting them store their time based one time passwords of ... Hackers use credit card skimmers to obtain the magnetic stripe information of a ... Open Google Chrome and click the GateKeeper Password Manager Chrome .... Jun 16, 2021 — Using an online password manager? … Are they safe from hackers?? Use Enpass to securely organize everything at one place.
  • Analyse D'un Logiciel De Gestion Des Mots De Passe

    Analyse D'un Logiciel De Gestion Des Mots De Passe

    Analyse d’un logiciel de gestion des mots de passe Version TRIQUET Guillaume Création 06/01/2015 TRIQUET Guillaume MàJ part.3, Ajout part.4 07/01/2015 TRIQUET Guillaume MàJ part.3, Ajout part.5 08/01/2015 TRIQUET Guillaume MAJ part.4, Ajout Annexe 2 12/01/2015 TRIQUET Guillaume Conclusion 19/02/2015 TRIQUET Guillaume Printed 20/04/2015 Page 1 of 30 IT Service e-doceo © Confidential Sommaire 1. Introduction ............................................................................................................... 4 2. Objectifs .................................................................................................................... 4 3. Analyse des différentes solutions .............................................................................. 5 Critères ......................................................................................................................... 5 Analyse ........................................................................................................................ 5 1. Keepass ............................................................................................................. 5 2. Enpass Password Manager : .............................................................................. 5 3. Lastpass : ........................................................................................................... 6 4. Dashlane : .......................................................................................................... 6 5. 1password : .......................................................................................................
  • Password Managers

    Password Managers

    Password Managers A Higher Education Information Security Council (HEISC) Resource JULY 2019 Password Managers What Is a Password Manager Tool? A password manager tool is software that helps users encrypt, store, and manage passwords. The tool also helps users create secure passwords and automatically log in to websites. Who Might Use a Password Manager Tool, and Why? Users should employ unique passwords for each website or system to help minimize the impact from the breach of one website or system; however, most users cannot remember a separate password for many sites and tend to reuse passwords or write them on a sticky note attached to their computer. Additionally, organizations may have passwords that need to be shared across teams and want a secure method to do so. Password manager tools allow users and teams to more securely manage many distinct passwords and automatically log them in to websites. The Benefits of Using a Password Manager Tool Password manager tools enable users to create and securely store unique passwords for websites, applications, and other systems without having to memorize or write them down. Risks to Consider When Using a Password Manager Tool Special care should be taken to secure the password tool, as it will grant access to all passwords. The “master” password that grants access to the tool should be very strong and unique, and multifactor authentication should be used if possible. Almost all modern commercial password managers allow users to implement some form of multifactor authentication. You will also need to decide whether you want your password management tool to store passwords locally or in the cloud.
  • The Usable Security of Passwords Based on Digital Objects: from Design and Analysis to User Study∗

    The Usable Security of Passwords Based on Digital Objects: from Design and Analysis to User Study∗

    The Usable Security of Passwords based on Digital Objects: From Design and Analysis to User Study∗ Mohammad Mannan Tara Whalen, Robert Biddle Electrical and Computer Engineering Dept. P.C. van Oorschot University of Toronto School of Computer Science Toronto, Canada Carleton University [email protected] Ottawa, Canada Abstract Despite all efforts, password schemes intended to deploy or encourage the use of strong passwords have largely failed. As an interesting alternative to enable users to create, maintain and use high quality passwords willingly, we propose Object-based Password (ObPwd), leveragingthe universe of personal or personally meaningful digital content that many users now own or have access to. ObPwd converts user- selected digital objects to high-entropy text passwords. Memorization of exact passwords is replaced by remembering password objects. We present the design details, variants, and usability and security analysis of ObPwd; briefly discuss (publicly available) prototype implementations in various forms on several platforms; and as a major focus, report on the results of a hybrid in-lab/at-home user study on 32 participants. The results suggest the scheme has good usability, with excellent memorability, acceptable login times, and very positive user perception, achieved while providing strong security for the threat context explored. While we anticipate further experience with ObPwd will lead to improved security and usability, and best practice guidelines, we believe this work lays the foundations for a promising password selection paradigm. 1 Introduction and Motivation Text passwords remain ubiquitous, despite endless criticism. Independent studies conducted decades apart reveal that people consistently choose ‘weak’ passwords [19, 6] for many reasons, including users trying to manage on average 25 password-protected accounts [7].
  • Open Research Online Oro.Open.Ac.Uk

    Open Research Online Oro.Open.Ac.Uk

    Open Research Online The Open University’s repository of research publications and other research outputs Forensically-Sound Analysis of Security Risks of using Local Password Managers Conference or Workshop Item How to cite: Gray, Joshua; Franqueira, Virginia N. L. and Yu, Yijun (2016). Forensically-Sound Analysis of Security Risks of using Local Password Managers. In: Proceedings: 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW), IEEE, pp. 114–121. For guidance on citations see FAQs. c 2016 IEEE https://creativecommons.org/licenses/by-nc-nd/4.0/ Version: Accepted Manuscript Link(s) to article on publisher’s website: http://dx.doi.org/doi:10.1109/REW.2016.034 Copyright and Moral Rights for the articles on this site are retained by the individual authors and/or other copyright owners. For more information on Open Research Online’s data policy on reuse of materials please consult the policies page. oro.open.ac.uk Forensically-Sound Analysis of Security Risks of using Local Password Managers Joshua Gray∗, Virginia N. L. Franqueira∗ and Yijun Yuy ∗ College of Engineering and Technology, University of Derby, UK y School of Computing and Communications, The Open University, UK Abstract—Password managers address the usability challenge has a domino side-effect on security [5]; they write them down of authentication, i.e., to manage the effort in creating, memoris- or recycle old passwords with small changes [4]; or they use ing, and entering complex passwords for an end-user. Offering highly guessable passwords [6]. All these strategies undermine features such as creating strong passwords, managing increasing number of complex passwords, and auto-filling of passwords security in favour of usability.
  • Enpass Portable Version 6.4

    Enpass Portable Version 6.4

    Enpass Portable version 6.4 May 05, 2020 Contents User Manual 1 Welcome to Enpass Portable 1 Prerequisites 1 Who should use Enpass Portable? 1 What’s New in 6.4.0 1 Setting up Enpass Portable 2 For Mac & Windows 2 For Linux 2 For Cross-platfrom Usage 3 Using Enpass Portable 3 Enpass Browser Extension 6 Importing data from other softwares 6 User Manual User Manual Enpass Version– 6.4.0 Welcome to the user manual for Enpass Portable. This manual features detailed guidelines to make you well-acquainted with the app’s functionality. Welcome to Enpass Portable Unlike traditional Enpass desktop apps, the portable version does not require installation. You can put it on a USB drive and move between computers while taking your app and settings with you. The Enpass portable version has features similar to that of the Enpass Desktop version. Because Enpass runs without installtion on the system, it’s lightweight and won’t leave any footprint on the devices you run it on. Everything, including any settings you’ve saved, is saved right in the portable app’s folder on the USB drive. Prerequisites To use the Portable version, all you need is a USB drive and the platform specific Enpass Portable zip file. • Windows: Requires Windows 7 or above. • Mac: Requires macOS 10.11 or later. • Linux: Tested on Ubuntu 14.04 or later ; Fedora 22 or later (only for 64-bit OS). Who should use Enpass Portable? If you want to use Enpass on your personal desktops, then you should always use our desktop app.
  • A Security Analysis of Autofill on Ios and Android

    A Security Analysis of Autofill on Ios and Android

    The Emperor’s New Autofill Framework: A Security Analysis of Autofill on iOS and Android Sean Oesch, Anuj Gautam, Scott Ruoti The University of Tennessee [email protected], [email protected], [email protected] Abstract—Password managers help users more effectively (P3) the filled credential will only be accessible to the manage their passwords, encouraging them to adopt stronger mapped app or web domain. [23]. passwords across their many accounts. In contrast to desktop On desktop environments, password managers are primarily systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks implemented as ad-hoc browser extensions—i.e., the extension that are designed to integrate with password managers to individually implements all aspects of the autofill process provide secure and usable autofill for browsers and other apps without support from OS or browser autofill frameworks. installed on mobile devices. In this paper, we conduct the first While some desktop password managers correctly achieve P1 holistic security evaluation of such frameworks on iOS and and P2 [19], many have incorrect implementations that allow Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic attackers to steal or phish users’ credentials [14], [22], [23], single point of failure. Our results find that while the [19], and none can fully implement P3 due to technical frameworks address several common issues (e.g., requiring user limitations of browser extension APIs [23], [19]. interaction before autofill), they also enforce insecure behavior In contrast to the situation on desktop, mobile operating and fail to provide the password managers implemented using systems provide system-wide autofill frameworks that attempt the frameworks with sufficient information to override this incorrect behavior.
  • Revisiting Security Vulnerabilities in Commercial Password Managers?

    Revisiting Security Vulnerabilities in Commercial Password Managers?

    Revisiting Security Vulnerabilities in Commercial Password Managers? Michael Carr1 and Siamak F. Shahandashti2 1 Piksel, York Science Park, YO10 5ZD, UK [email protected] 2 Dept. of Computer Science, University of York, YO10 5GH, UK [email protected] Abstract. In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a compre- hensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof- of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors. Keywords: Vulnerability Testing · Password Managers · Password Man- ager Security · Authentication. 1 Introduction Passwords remain the dominant authentication mechanism in the digital realm despite their shortcomings. Furthermore, they are expected to persist as a pri- mary authentication mechanism for the some time [6]. Among the tools that can greatly reduce the cognitive burden of remembering multiple passwords for arXiv:2003.01985v2 [cs.CR] 17 Mar 2020 multiple services are password managers.