Enpass Password Manager – Review 2020

Getting locked out of an important site because you forgot your password is a pain, even when the site offers a simple way to reset it. It’s tempting to just use the same password everywhere, but doing so is setting yourself up for being hacked. Use a password manager such as Enpass to set up a unique, strong password for every site, instead. You should know upfront that Enpass only stores your passwords locally by default; if you want to sync between devices, you need to attach a cloud storage account. On one hand, that means your important details are in one less place online, but this introduces inconveniences and may confuse newcomers. A lack of intuitive two-factor authentication options, limited sharing features, and usage quirks related to filling passwords and identities are other drawbacks to this service.

Pricing and Platforms

Enpass’s pricing structure is different than that of most competitors. Desktop users on Windows, macOS, and Linux devices can use Enpass for free. On those platforms, you get all of Enpass’s features and full syncing capabilities between those devices. There’s also a portable version you can run from a USB drive.

On Android and iOS devices, Enpass is free for up to 25 items and one vault. If you go over those limits, you need to pay for Enpass on either an annual ($11.99 billed every year) or half-year ($7.25 billed every six months) basis. Alternatively, you can pay a one-time fee of $59.99 to permanently unlock all of Enpass’s features across all platforms. The price might be cheaper if there’s a sale, as with most such services.

Enpass is priced aggressively compared to competitors. For example, its one-time tier costs the same as an annual Dashlane subscription ($59.99 per year). Enpass’s annual rate also compares favorably. Keeper Password & Digital Vault’s Personal account is $29.99 per year, while 1Password’s Premium account costs $35.88 per year.

Other free password managers, including Editors’ Choices LastPass and MyKi, do not restrict the use of multiple platforms. MyKi works similarly to Enpass in that it does not include any sort of cloud storage; instead it stores entries locally on your mobile device and makes everything available on other platforms via P2P sharing.

Account and Device Setup

We downloaded Enpass’s Windows app from the Microsoft Store to get started. The good thing about Microsoft Store apps is that they run in a sandboxed mode; more apps should take advantage of this platform. We primarily tested the Enpass app on a Windows 10 laptop and a Google Pixel 3 running Android 10.

Once you download and install the desktop app, you need to set up an account by providing and confirming your email address. Next, you create an all-important master password, which encrypts all of your data. This password should be memorable, but not guessable by anyone else. Enpass rates your master password and offers specific advice for improving a bad one, for example, noting that what you’ve typed contains a name or a common password. Your master password is irrecoverable, so make sure to write it down in a safe place. Security-conscious users can optionally generate a Keyfile for their accounts, which is used alongside the master password to encrypt your data. Keyfiles are also irrecoverable.

Unlike most other password managers, Enpass does not offer app- or security key-based two-factor authentication options to secure your account. We discuss this limitation more in a later section.

Once you get past the initial setup, Enpass encourages you to install its browser extension, which is available for Edge, Chrome, Firefox, Safari, and Vivaldi. The web extensions need to be used in conjunction with the desktop apps and are required for password capture and replay. 1Password’s 1Password X extensions can function independently, by contrast. We installed Enpass’s extensions on Chrome and Firefox for testing.

Linking an extension to your Enpass app requires entry of a passcode generated by the extension, much as Myki requires snapping a QR code from the extension. This prevents someone who shoulder-surfs your password from using it to log into your account using the extension. Another advantage of this method is that you don’t need to keep typing in your master password to use the extension.

Getting all your passwords into a password manager is a significant investment of time. Therefore, switching from one password manager to another needs to be as seamless as possible. Fortunately, Enpass can import from a dozen competitors, among them LastPass, RoboForm Everywhere, and Sticky Password. It can also import from Chrome and other instances of Enpass.

If your old password manager isn’t on the list, never fear. You can export from the old guard to a CSV file, format it to Enpass’s standards, and then import it. Enpass supports importing logins, credit cards, and secure notes.

Desktop App and Password Organization

When you set up your account, Enpass creates a primary encrypted vault for password storage. You can create additional vaults, perhaps adding a separate vault for work-related passwords. 1Password operates similarly. Apart from vaults, you can organize entries by creating tags and sub tags for more precise organization. We appreciate this flexibility.

Across the top of the desktop app interface, there’s a cloud icon in the top-left area that shows your cloud storage status, a search bar, a plus icon for adding a new entry, a button for locking the application, an icon for the password generator, and a settings area. Oddly, the settings section appears in both the top bar and as an item under the application’s menu. Notable settings include the option to lock the application with a PIN, set up cloud syncing, creating backup files of your passwords, generating pre-shared keys for securely sharing passwords, and customizing the interface categories and templates. There’s also a dark theme option, which is always welcome.

On the desktop, Enpass uses the popular three-column layout. You select an item type in the left column, view items of that type in the middle column, and dig into details for the selected item in the right column. Enpass uses site-logo icons for popular sites and plugs in a generic icon for the rest. Going down the left-hand side of the interface, you see a list of all entry categories (such as logins, credit cards, identities, and notes), a Tags section, the Password Audit Section, and an Others section. Items in the Others area include Time-based One-Time Passwords (TOTPs), Attachments, Archived, and Trashed.

To edit an item, select it from the middle column and then hit the pencil icon at the top of the left-most column. Make sure to save entries before leaving that page. You can add custom fields and sections to each item as well as upload files.

Local Storage and Syncing

Enpass handles storage differently than many password managers. Like Myki, Ascendo Data Vault, and a very few others, Enpass keeps your passwords in local storage rather than maintaining servers to store your encrypted data in the cloud. Skipping the expense of cloud servers is one reason the company can offer the desktop version for free. Note that while the free editions of LastPass and LogMeOnce Password Management Suite Premium use in-house cloud storage, users of the paid editions effectively finance the server farm.

If you only use Enpass on a single system, local storage is fine. However, most people will want access to their passwords and other data from more locations. To do so, click the cloud icon in the upper left area of the desktop app and select Set Up Sync. You need to give Enpass permission to set up a folder in your OneDrive, Dropbox, Google Drive, Box, or iCloud account. You can also use a shared network folder. If you’re a total network geek, you can even connect to Enpass to your own server using WebDAV. KeePass also supports WebDAV for syncing, but it’s just too arcane for most users.

The trade-off for potentially better security from big-name cloud service providers comes at the expense of usability. Especially people new to the idea of password managers may not want to involve their cloud storage accounts in the process. If anything, storing passwords in a folder in a cloud storage account you use frequently makes the data more visible (and thus more likely to be accidentally deleted).

Enpass heavily leans on these other cloud providers, to the extent that it doesn’t offer typical two-factor authentication options. Instead, Enpass reasons that since these cloud providers all offer two-factor authentication, your synced data is secured that way. Still, while you need to remember two logins to store your data, access to your Enpass data isn’t actually protected in two ways (you just need to enter your master password to sign in.) It’s also recursive if you use Enpass to store your credentials for that cloud storage account. Protecting local app access with a second factor of authentication is important too, since the potential password data at stake remains the same, regardless of whether it is stored locally or online.

In Enpass’s explanation of why it does not include 2FA options, it points users towards setting up a Keyfile, which you would need in order to access your passwords in addition to your master password. A Keyfile thus could function as a second factor. If you keep the Keyfile on the same device where your passwords are stored, however, this is not ideal. As such, we would like to see more mainstream two-factor authentication options (such as via an authenticator app or security key) for protecting access to Enpass’s apps.

Web Extension and Password Handling

The Enpass desktop application stores and syncs your passwords and other personal data, but that’s all it does. If you want the expected password capture and replay (and you do!) you must install the browser extensions. Note that there Enpass does not offer a dedicated web dashboard.

Enpass’s web extension is pretty standard. It shows a list of your logins, favorites, credit cards, and identities. You also get access to the password generator and a search bar for quickly finding items. Clicking on a login item fills that information in on a relevant page, but you can’t edit entries directly. To copy specific fields or navigate to a login’s associated site, click the item once and then hit the information button on the right-hand side. With Norton Password Manager, LastPass, and many other password managers’ extensions, you can just click on an entry once within the ext
ension to open the linked site and log in. This is one example of how Enpass requires a seemingly unnecessary step.

Any of the Enpass browser extensions can capture your username and password as you log in to each secure site. You can give the entry a descriptive name at this point, but if you want to apply tags you must use the main application. In testing, we found that, unlike with most competing products, if you click away from the offer to add an item before clicking Save (such as to enter a TOTP code), you don’t get another chance to do so. We had to log out of the site and in again to capture the credentials.

Many password managers automatically fill in credentials when you revisit a site. Some are more cautious, waiting to fill credentials until you request it by clicking in one of the fields. With Enpass, you must either click the extension, press the magic key combo Ctrl+/, or right-click and select Enpass from the context menu to see what logins are available for the current site. Once you select a login, automation kicks in. It’s very similar to the way 1Password works, though with 1Password the magic key is Ctrl+.

Despite some difficulties with multistep logins in previous tests, we found that Enpass worked fine with Gmail’s two-page login this time around. However, with Eventbrite’s multistep login, we had to add our username manually; Enpass only captured the password.

If you notice a missing field at the time of capture, you can click the Show More option in the Save Password dialogue box and fill in the data manually or edit the item in the main app. On the plus side, Enpass can pick up fields other than just the username and password. Unlike Sticky Password, LastPass, and a few others that manage this using a special “collect all fields” feature, Enpass seems to do it automatically.

Password Auditing and Generator

Once you have all your passwords safely stored in the password manager, you’re halfway secure. To finish the job, you need to replace all your bad passwords. Enpass’s Password Audit feature can help you identify those offending passwords. This tool is accessible via the left-hand menu of the desktop app.

The Password Audit section breaks down into three sections: Pwned, Weak, and Identical. The Pwned section checks if any of your passwords appear in the Have I Been Pwned? database of compromised passwords. Enpass asks for your permission before checking your passwords against this list online. The Weak section includes passwords that don’t meet Enpass’s definition of a strong password, for example, if they are too short, not varied enough, or otherwise guessable. The Identical section lists passwords that are the same across accounts. Other password managers, including Sticky Password, also have password audit sections with similar functionality.

There’s no automation for the process of fixing bad passwords like you get in LastPass and Norton. Other services, including 1Password and Keeper Password & Digital Vault, notably refrain from automated password changes for various privacy reasons. You need to manually go to the site to change your password.

But what should your new password be? Don’t worry; Enpass, like every other modern password manager, offers a password generator tool. However, not all password generators are created equal. For the best security, you want long passwords that make use of all four character sets (lowercase letters, uppercase letters, digits, and symbols). But with some password managers, default settings give you weak passwords. For example, RoboForm, SplashID, and Trend Micro Password Manager all give you eight-character passwords by default. So does Ascendo, but its default passwords are all letters, no digits or symbols.

By default, Enpass generates passphrases like the XKCD’s popular Correct Horse Battery Staple example, rather than random strings of characters. Passphrases are set to six words in length out of the box (but can go up to 15). Oddly, by Enpass’s own standards, this six-word length only rates as good, rather than excellent. Enpass should make its passphrase default option stronger.

You specify whether it uses uppercase letters and digits, as well as the separator between the words. The stated reason to use passphrases is that they’re both long and memorable. Even when you don’t have to memorize them, longer is always better. A random brute-force attack is indeed unlikely to come up with announcer-asparagus-slicer-dreamy-wagon-gig, but a brute-force attack based on dictionary words just might get there.

To generate a more traditional password (random strings of numbers and letters), uncheck the Pronounceable toggle. For these passwords, Enpass defaults to 32 characters. You choose whether to include uppercase letters, digits, and symbols. We recommend you keep all of these settings enabled. If you need to generate a password that meets specific requirements, Enpass can do that too. You can restrict the generated password to use a minimum or an exact number of uppercase letters, digits, and symbols; exclude certain characters; and avoid ambiguous characters such as capital O and the digit 0.

Personal Data and Form-Filling

Enpass can store a huge variety of personal data and sync these important details across your devices. Options range from general address and contact data to credit cards and licenses. A collection of computer-related data templates includes details for databases, FTP servers, web hosting systems, and more.

The Miscellaneous category includes over two dozen varied types of data, each with a template for storing the relevant information. These include national ID numbers for various regions of the world, vehicle info, clothing sizes, and even eyeglasses prescriptions.

Enpass now allows you to fill forms with identity information you add, which is a major improvement since the last time we reviewed the software. When you arrive at a form field on the web, click on the Enpass extension, and then double-click on the relevant identity. The implementation is a bit awkward, since you need to fill addresses and credit cards separately. Other password managers add an icon in the fields for which you have saved identities (which you click to fill). We prefer that method, since you know specifically which fields you can auto-fill.

You can also attach files and images to any of the saved items. For example, you could add a photo of your driver’s license to the corresponding item. Your storage limit depends on how much space you have left for whatever cloud storage account you set up. Keeper Password Manager & Digital Vault also emphasizes storing data in your digital vault, but you need to pay a fee for any serious storage capabilities. Kaspersky Password Manager has excellent document scanning capabilities with no storage limits in its paid version.

Sharing and Inheritance

We don’t normally advise sharing passwords, at least not without serious consideration. But if you have an account that’s shared between several people, sharing is a must. Sharing an Enpass password with another Enpass user is simple, though you must take care to protect your security.

From the desktop app, you select Share from the menu for an item. The program warns that items sha
red outside Enpass aren’t encrypted, unless you’ve defined a preshared key (PSK) in Advanced Settings. The PSK is just a password you create and send to the recipient or group before sending the password itself.

Enpass let you limit shared fields, toggling off E-mail, Password, or Website. It also offered the option to use one of the shared keys we created. To finish the share operation, you choose to send the share via email or copy to the clipboard and share some other way.

If you don’t use a PSK, you’re taking a big chance. Enpass sends the website, username, and password in plain text, followed by an encrypted block that you can copy into another instance of Enpass. We also found that toggling off sharing of the password literally omits it, rather than letting the recipient use the login without seeing the password, as you can do with LastPass, LogMeOnce, and Myki.

We strongly advise that you do not use the sharing feature without adding a PSK or sending the share data via an encrypted channel. Ideally, Enpass would not include an unsecured method for sharing at all.

As noted, LastPass, Myki, and LogMeOnce also offer secure sharing. With these three, you can share credentials while hiding the password itself from view, and can also revoke sharing. When you share an item in Enpass, you can’t revoke or modify the shared item; it’s out of your hands. Still, while secure sharing is common in commercial password managers, you won’t find it in many free ones.

Enpass does not currently offer any password inheritance features, which would facilitate the transfer of your credentials and other valuable information in the event of your untimely demise. Both LastPass and Keeper Password & Digital Vault support digital inheritance features. This is just one way to help your loved ones mange your digital life after you die.

Enpass as an Authenticator

While Enpass doesn’t use traditional two-factor authentication methods for its own protection, it can serve as a replacement for a third-party authenticator app such as Google Authenticator or Microsoft Authenticator with supporting websites. It generates the necessary TOTPs internally and applies them automatically.

You can use the Enpass mobile app to scan the QR code to set up this feature. Myki offers similar functionality. Setting up TOTP with the Enpass desktop app is more of an adventure. Each saved item has an optional field titled TOTP and you fill that with a secret key. To obtain that key, log in to the TOTP-protected site and edit your two-factor settings. This may require turning two-factor off and on again. When you get to the QR code page, look for the alternative secret key option. Copy that string of text into the relevant item’s TOTP field and save. With 1Password’s desktop app, you can scan the QR code with a built-in tool, which makes the process much easier.

Now, when you view the item in Enpass, you see the current value of the TOTP, along with a 30-second countdown until the key changes. LastPass goes one step further with TOTPs by backing them up, which is helpful in case you ever accidentally delete your authenticator app.

Enpass for Mobile

As noted earlier, unless you pay the one-time $11.99 fee, your mobile apps can only manage a single vault and the first 25 entries you add. Most users will hit those limits quickly, so it’s not as workable a solution as other free password managers.

On Android or iOS, you can enable fingerprint authentication and each platform’s respective face-scanning authentication method. It supports the Autofill feature on both platforms. Enpass lets you connect to your Apple Watch (an extra-cost option in Myki) or Android Wear, too.

We installed Enpass on a Google Pixel 3 running Android 10. After we signed in to our account, we expected everything to already be synced over (since we had set up syncing with OneDrive from the desktop app). However, we had to navigate to Settings > Vaults and set up synchronization again. The app could do a much better job describing the steps users need to take to sync over the content of their vaults.

In terms of functionality, the Enpass Android app is on par with the desktop version. You can access any vaults you’ve synced, manage tags, use all the password audit tools, and generate passwords. There’s even a matching dark theme. Auto-filling worked as expected in apps as did filling TOTP codes. As noted, you can use the Enpass mobile app to scan QR codes to set up app-based two-factor authentication methods.

Handles the Basics

Using third-party cloud storage, the free (for desktops) Enpass Password Manager can sync passwords across all your Windows, macOS, Linux desktops. It handles password capture and form-filling mostly as expected, too. Although we like that it can replace your authenticator app, we wish Enpass got rid of the unsecured sharing method and added sharing permissions. You have to pay for the full capabilities of the mobile edition, too. Still, Enpass’s biggest flaw is its lack of mainstream 2FA options for protecting app access.

Dashlane and Keeper Password Manager & Digital Vault are our Editors’ Choice password managers because of their ease-of-use and excellent features. Our Editors’ Choice winners for free password management are Myki Password Manager & Authenticator and LastPass. Myki, which also stores your passwords locally, manages syncing and other tasks much more smoothly. LastPass beats Enpass on features, as it includes password inheritance tools.

Best Password Manager Picks

Further Reading