Why self host a password manager?
I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.
Because when whatever company gets a data breach I don't want my data in the list.
With bitwarden If your server goes down then all your devices still have a local copy of your database you just can't add new passwords until the server is back up.
Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.
Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.
Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn't even notice the outages in the BitWarden app/extension.
This was also the most compelling reason for me to consider it.
I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.
I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.
More than any other piece of self-hosted software: backups are important if you're going to host a password manager.
I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.
As long as you can keep up with that, or a similar process; there's little concern to me about screwing things up. I'm constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I've got a separate backup of the absolutely critical stuff and can easily rebuild.
But, even with the server destroyed and all backups lost, as long as you still have a device that's previously logged into your password manager; you can unlock it and export the passwords to manually recover.
1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.
You are more likely to screw up your own backups and hosting security than they are.
LastPass said the exact same thing. I won't be a big target like they will though.
LastPass doesn’t have your password, so it can’t be stolen during a breach.
But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.
https://support.1password.com/secret-key-security/
Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.
For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.
Ok, but this doesn't explain why you would choose to self-host VaultWarden rather than using BitWarden.
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don't need to worry about Internet access at all.
This is what recommend as well. The various KeePasses all to pretty good jobs of merging databases, in case of sync conflicts, and you can utterly ignore whether you're online or not. Plus, there's a really fantastic tool, written by a veritable genius of a developer, that lets you use a KeePass DB as a secret service on your desktop.
You delicious bastard! Thanks for the rook tip.
But keepassxc already provides a secret service ootb?
KeePassXC can't be run in headless mode, and the GUI is tightly coupled to the app. You have to have all of X installed, and have a display running, to run it.
Here's the runtime dependencies of KeePassXC:
I don't know why it links to a systemd library. Here are the runtime dependencies of rook:
Don't get me wrong: KeePassXC is one of my favorite programs. But don't leave it running all the time, and it can't be run on headless systems.
I see, thanks for explaining. So IIUC, rook is intended for headless systems?
I use it for everything, but then, I wrote it. All of the desktop secret service tools have desktop dependencies (Gnome's uses Gnome libraries, KDE's pulls some KDE libraries) and run through DBUS; since I don't use a DE, it's a fair bit of unnecessary bloat. And I don't like GUI apps that just hang around in the background consuming resources. I open KeePassXC when I need to make changes to the DB, and then I shut it down. Otherwise, it hangs out in my task bar, distracting me.
Rook is for people who want to run on headless systems, or want to minimize resources usage, or don't use a desktop environment (such as Gnome or KDE), or don't run DBUS, or don't run systemd. It's for people who don't want a bunch of applications running in the background in their task bar. KeePassXC providing a secret service is great, but it's overkill if that's most of what it's providing for you, most of the time.
I don't think took is for everyone, or even for most people. It's for people who like to live mostly in the command line, or even in VTs.
For what it's worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it'll sync with the server.
This is the answer.
I use syncthing to sync between devices.
this is what I do as well, along with file staging so if I corrupt it by accident I don't lose the entire DB
Currently I have it on my server as grab only, and then normal access on my clients with staging
Agreed with using keepass. If you're one person accessing your passwords, there's no reason you need a service running all the time to access your password db. It's just an encrypted file that needs to be synced across devices.
However, if you make frequent use of secure password sharing features of lastpass/bitwarden/etc, then that's another story. Trying to orchestrate that using separate files would be a headache. Use a service (even if self-hosted).
vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.
Fully agreed.
Accessing Vaultwarden through a VPN gives me peace of mind that it can't be attacked.
Another great thing about Bitwarden is that it's possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.
A VPN? you still need a reverse proxy/domain to use it don't you?
Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.
The domain points to a local IP, so I can't access it without the VPN.
Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.
DNS challenge? It is the 1st time I read about it.
I suppose in your LAN you need no VPNs then?
Yes.
You can forward a Wireguard port, exposing it to the internet.
Hmm, interesting, how would I start doing this?
I use a Synology NAS BTW, so it already gives me a Synology subdomain to mess around.
Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can't run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I'm not too worried about unauthorized access.
Vaultwarden is one of the few services I'd actually trust to be secure, so I wouldn't worry if you update timely to new versions.
I hope it gets security audited one day, like Bitwarden was.
Because they use the official apps/web-vault, they don't need to implement most of the vault/encryption features, so at least the actual data should be fine.
Security audits are expensive, so I don't expect it to happen, unless some sponsor pays for it.
They have processes for CVEs and it seems like there wasn't any major security issues (altough I wouldn't host a public instance for unknown users).
That's a good point. I didn't consider the fact that all the encryption is done client-side, so that's the most important part to audit (which Bitwarden has already done).
I have my Vaultwarden public so I can use it at work too, but my firewall blocks all external IPs except my work's IP.
I'm self-hosting a VaultWarden install, and I'm doing it because uh, well, at this point I've basically ended up hosting every service I use online at this point.
Though, for most people, there's probably no real reason to self-host their own password manager, though please stop using Lastpass because they've shown that they're utterly incompetent repeatedly at this point.
Yeah I will likely move away.
My understanding with lastpass was that they had a breach but only encrypted data was stolen? What did I miss?
It was, IIRC, 3 separate breaches, plus a situation where the default KDF iterations on the vault was set to low as to actually make said encrypted data crackable.
The last I don't really blame them for necessarily, but rather shows that they weren't paying any attention to what their platform would actually protect against and what the threat landscape was and thus they never increased it and worse, when they did, they didn't force older vaults to increase it because it would be mildly inconvenient to users.
Basically, just a poor showing of data stewardship and if there's ONE thing you want your password manager to be good at, it's that.
Yeah that tracks, tbh I had set mine higher so wasn't an issue for me - but their UX, particularly on Android, is appalling.
Just curious, how do you host it? Do you have it containerized or no?
Yeah, I run everything in containers, minus a couple of things like the nginx install that's doing reverse proxy work.
Password management is the one thing i don't plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don't want to also fuck around with account recovery for my entire digital existence.
Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.
That's largely why I haven't self hosted either. But problems can be mitigated:
But honestly, my main reason is that I don't trust my server to stay up 100%, but I do expect Bitwarden to. I also trust their security audits.
I'm self hosting Vaultwarden and my home server got killed by the hurricane, yet I can still access my passwords just fine on the app because it stores them locally encrypted on my phone from the last time it synced. I just can't update or change anything until I can bring everything back on.
So, host your own shit you cowards, it'll be fine.
Bitwardens local cache does not include attachments, though. If you rely on them, you have to rely on the server being available.
I just... don't see the benefit. I host videos so I can access video content even if my internet goes out, and it's a lot cheaper than paying for streaming. I host my own documents because I don't want big tech scraping all my data. I host my own budgeting software, again, because of privacy.
I could host Vaultwarden. I just don't really see the point, especially when my SO and I have a shared collection, and if that broke, my SO would totally blame me, and I don't think that's worth whatever marginal benefits there are to self-hosting.
Maybe I'll eat my words and Bitwarden will get hacked. But until then, stories like yours further confirm to me that not hosting it is better.
I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it's free and I know enough to troubleshoot any problems.
My approach to this is as follows:
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
Ask yourself: "If my current system is unavailable: How screwed am I?"
If the answer is anything less than "Not screwed at all!", then it is time for a backup - regardless of what system you're using or plan to use.
Fair comment, although due to the distributed nature of our implementation we are unlikely to lose services. All Vaults are stored locally on all devices.
Having said that - the copy of the vault on the Mac is backed up with TimeMachine.
[I’ve been a greybeard sysadmin and use 3,2,1 even at home]
A couple of questions
How do you store a driver's license in Bitwarden? Last time I checked they didn't support file storage. Do you just put it in the cloud storage?
Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?
Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.
Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.
The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.
I didn't really consider the possibility of the client being compromised yet, good point.
Lastpass was hacked and might have lost control of some data https://blog.lastpass.com/posts/2022/12/notice-of-security-incident
1Pass hasn’t been hacked directly, but they were affected by the Okta https://blog.1password.com/okta-incident/
(One of the most common vectors for hacks is through your vendors - see Target https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)
Dropbox had an unauthorized access, but the seemed on top of it. https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
Dropbox also has had a more significant data breech, but a while ago. https://www.twingate.com/blog/tips/dropbox-data-breach#
Overview of all password manager breeches! https://bestreviews.net/which-password-managers-have-been-hacked/
They do support file storage. I've been using that for years for storing small files related to certain accounts an such.
I've apparently been missing this button for several years. Thanks!
Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.
I don't, specifically because I don't trust myself to host that. I know what people will say here, but I trust 1pass way more than I could do it myself.
1pass uses your password plus a secret key to generate your full "password", meaning you need both to access your vault. The password you memorize, the key you keep safe somewhere (inside the vault is even good, since you probably have it open on another device should you need it). They publish their docs, and show how they encrypt your vaults. To them, your vaults are truly just random bytes they store in blob storage. They don't store your key, they don't store your password, they will not help you out if you lock yourself out. That's the level of security I want for a password vault. If they ever get breached, which hey, it can happen, the most someone will get is a random blob of data, which then I'd go and probably generate a new password and reencrypt everything again anyway.
Vs me hosting myself, I'm sure the code is good - but I don't trust myself to host that data. There's too many points of failure. I could set up encryption wrong, I could expose a bad port, if someone gained access to my network I don't trust that they wouldn't find some way to access my vaults. It's just too likely I have a bad config somewhere that would open everything up. Plus then it's on me to upgrade immediately if there's a zero day, something I'm more likely to miss.
I know, on the selfhosted community this is heresy, but this is the one thing I don't self host, I leave it to true security researchers.
Nah, I'm with you, except I use BitWarden.
There are somethings either worth paying someone else to host, or where you trust a 3rd party more than you're own setup. I realize other users may feel different, but ultimately it's a judgement call
BW has been a pretty great opensource company, and it's worth my $10/yr for premium.
Wow, Bitwarden has made leaps and bounds on catching up to 1password on dev tools and enterprise features the last few years. I'm going to need to re-evaluate/consider moving over.
As a side note, if you work somewhere that uses 1password, you can usually get your personal subscription comped as an individual. Only need to pay for it if you leave your company or they drop 1password.
I dont know that I'll stay on 1password forever, but on the scale of things I'm most concerned about self-hosting vs using a reasonably private SaaS, 1password is nowhere near the top of my list to ditch. Otherwise, its a solid recommendation for non-self hosters who want to make some progress.
Same with Keeper as far as I know (which is what we use at work).
I prefer security software to be open-source though, which is why I love Bitwarden. Even if you don't self-host it, there's still value in it being open-source.
After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.
And I have the encrypted database in multiple places should one go tits up.
Very interesting. How secure is this against having a compromised device? I‘m really paranoid that someone would somehow have a backdoor into my systems and snatch stuff I host on my own
Not the one who wrote the command: The Keepass DB encryption is afaik pretty damn good. So that wouldn't be an attack vector I would worry about. Also and those are just my five cents and I might probably be ripped in pieces by some it sec people, I wouldn't fear too much about a backdoor being put into your systems when self hosting. If someone actually does this it's most probably gonna be some actor related to a government that targets you for whatever reason and at least then most of us wouldn't stand a chance to keep all of their IT devices save, especially when they could stop you on the streets and get physical access to some devices. On the other hand hosted services with thousands of customers are also a lucrative target for cyber crime and which you as a self hosting individual are most probably not. This reduces the possible threats quite a bit, at least if you keep up some default safety stuff to not just let any wannabe hacker from wherever into your self hosted services that would be happy if they can get a 5 thousands dollars/ euros or whatever from you.
If it’s the system with the (locked) KeePass database on it, you should be fine. The encryption can be tweaked so that unlocking the database takes a second even on modern systems. Doesn’t affect you much, but someone trying to brute-force the password will have a hard time. It also supports keyfiles for even more security.
If somebody infiltrates your end user device, no password tool will be safe once you unlock it.
I use a KeePassXC database on a syncthing share and haven't had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.
One benefit to hosted password vaults over files is that they can use 2FA - you can't exactly do TOTP with a static file.
(As an aside, I wish more "self hosted" apps were instead "local file and sync friendly" apps instead, exactly because of offline access)
You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass "something that you have and something that you know" test
KeepassXC handles TOTP.
It can generate TOTP codes, but I'm saying that the vault itself can't be secured with TOTP.
Then the difference is really that someone else is handing the security, right? At the end of the day, there's an encrypted file somewhere, and a TOTP only protects a particular connection by network.
Sure, but there's a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.
I'm on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn't setup as well as it could be for mission critical software/uptime. I'm a hobbiest with limited time to spend on this hobby and I can't spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don't trust my own OS to be fully secure and I don't trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I've seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don't think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.
Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)
Yeah. I use KeepassXC on my computers and KeepassDX on my phone. All synced with syncthing and it works great.
This is the way. It's also one of the simplest self-hosted setups you can have. Highly recommend it.
Bitwarden also syncs a local copy to every device it connects to.
I do exactly this, and use Keepass2Android on my phone and have nextcloud-KeeWeb installed.
Tangentally related - For anyone looking to take over a project, KeeWeb is looking for a new maintainer!
I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it's easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.
Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.
I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.
Could one not theoretically self-host a PW manager that also keeps a local copy of the database for times with no internet?
Idk if that doesn't exist yet or what, and there are plenty of other reasons against self-hosting a PW manager but that seems like a logical work-around for that particular problem. Keep your access when the internet is down, and keep your data out of third party control.
Bitwarden does exactly that. It will mostly work with no server connection.
Absolutely, in fact I’d be willing to bet vaultwarden does just that. That’s a good point.
Yep, it does!
Regarding benefits for the paid tier (which I use as a sort of donation):
Regarding self-hosting:
I decided against it.
I think you misread my post. I know what the benefits of their paid teir are, because literally read their page.
I was asking why people self host. As you don't self host...I'm not sure why you're responding, especially not with passive aggressive language like that.
Didnt feel passive aggresive to me.
And regarding the question why people self host:
More or less the usual reasons (e.g. learning, just4fun, experimenting)
And I gave you the reasons why I decided against it.
Do with both informations what you need to do. Keeping it in mind or disregard my opinion/choices as not directly answering your question
I pay Bitwarden the tenner a year as I have no reason to distrust them and they're definitely providing a more reliable, securer service than I can self-host.
I also do an encrypted export once per week and store that export to an encrypted cloud based service and an encrypted USB stick. Takes 2 minutes.
If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.
I use KeepassXC
Using vault warden because I read too much about errors in implementing or design in services like LastPass or (though encrypted) vaults being stolen.
Bit warden client on Android lets you sync (ie LAN) and then use it as a read only database while on the go without a connection.
I recently added tailscale and when I really need a service from home I just flick it on on my phone and I am good
Works like a charm.
How to set up Vaultwarden with tailscale ? Any pointer ?
I've been using VW for over a year but I'm double NAT'd so I set it up with CF Tunnel with my domain and while I'm confident in my master ps I would prefer TS.
I was lazy and since I don't need it very often I didn't really set up anything besides installing the clients on my devices.
That gives you the possibility to connect to your server via the hostname (definable with tailscale) when you connect your device like Our phone with the TS app. Edit the URL in bit warden and you are done.
I selfhost vault warden, and in all honesty, it's just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.
The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it's fully featured and super easy to deploy the server, ridiculously so.
Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I'd suggest to take the second option, for 2 reasons:
1.- it's even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive
Bitwarden's free version is enough for my purposes, but I didn't realize they had a $10/yr plan. That seems worth paying for, I'll have to look into it.
I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.
If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.
Do you recall the rational for 1password?
I can imagine the enterprise/business options are better than bitwarden but as an individual user I don't need that and would only have the individual plan. It's a little over twice the price of BitWarden and while every company I've worked at in recent years has had 1password i don't see it mentioned on here anywhere near as often as BitWarden.
I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.
LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.
I self host Bitwarden and it's free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.
I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don't care as much about them as you do!
If you're going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.
AFAIK you can have multiple users for free when self-hosting, and the features are essentially the same as the free hosted version. You need to pay if you want to get the premium features or share passwords across multiple users using an organization. Essentially the pricing is the same as the hosted version.
I'd recommend Vaultwarden for a small-scale self-hosted solution. It's not Bitwarden, but it's fully API-compatible so you can use all the Bitwarden clients and browser extensions. Self-hosted Bitwarden is quite a bit heavier than Vaultwarden since it's designed for large-scale usage (like for an entire company of tens of thousands of people)
Thanks that's a helpful reply
I access my Vaultwarden server via Cloudflared tunnel while I'm away from home network.
I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.
The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"
Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can't restore it even if you pay them a million €
That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that's on you, your data is a high priority target in a centralized password store... if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it's kind of a six of one, half dozen of the other.
Fair points.
Considering bitwarden is zero knowledge the data in itself is for now 'safe' enough to me.
Though I could be subject to IP/vulnerability scans on my home connection or accidentaly forwarding stuff that puts the security at risk and getting compromised (Seriously...The stuff I could connect and control via VNC I found on shodan was very creepy and frightening).
Nah mate. Plus maintaining the data I already have is enough for me. Bitwarden would be way too much. But maybe in the future once I figure Linux and docker more out :)
Im curious what makes it better than 1pass? Ive used a few of these, and my experience with 1pass was probably the best. Well, except for the price..
You'll learn pretty quickly that a large chunk of self-hosting people are the types that are just terrified of having things be outside their control, which by extension means they are terrified of other people that aren't them running infrastructure. 🫠
True but also free service and fun to play with.
The learning aspect is the big one for me. If you need a reliable service with no time spent learning or troubleshooting, you're probably better using a paid service.
But also, there are significant potential savings and advantages for data storage at home.
And at 10€ per year I'll gladly pay that. Now if it was 10€ per month and almost bi-yearly increasing, because why not, I'd quickly reconsider taking the risk and responsibility of self-hosting the door to my internet- and reallife existence.
I store everything in there. Banking, health, shopping, etc etc. Not worth it exposing it without knowing how much I expose.
The things I currently expose are relatively low-risk.
If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you'd still have access to all the accounts you're saving in it.
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it's true that you won't be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who's full time job is running those systems and keeping people that aren't supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you've got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe... And mixed in with a lot of other data that's likely higher priority to target.
There's self-hosting that's low risk but does remove some convenience. For example, I use a offline password manager. I keep a Veracrypt container on my computer that hosts that and a few other important files. When I make enough updates, I'll throw a copy into Dropbox so I can save access it elsewhere. The disadvantage is that I cannot update the primary version from one of those other devices but, for me, that's not really an issue.
I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.
If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.
Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.
Yes. It has been a while since I moved (whenever the first breach was), but I exported from lastpass and imported to Bitwarden with minimal issue, I think I had to add a column.
you become fully in charge of your passwords instead of relying on someone else
TL;DR:
Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.
I self-host stuff because I can, because I learn something while doing it and it gives me control. And I'm running that server anyways, so I might as well install one more service on it. If you don't want to spend your time managing and maintaining servers and services, go for the official (paid) service. That'll do, too.
If you're worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won't get synced until the server is reachable again.
Thanks, I did consider the syncing would be fine. But if the reason to do it is just hobbying then I'll pass, I have too many hobbies at this point and managing what I'm already hosting is giving me enough of a scratch for that itch
I run vaultwarden in a docker container and I can't say I've touched it since then. Its as much maintenance as all the other services I run. Reboot the server quarterly to make sure patches are applied. Docker containers patch nightly.
Sure. I think there are some areas where self-hosting is kinda mandatory because other solutions don't fulfill my requirements. But I don't think a password manager is part of that. It stores the passwords encrypted in the cloud anyways, $0-$10 a year isn't much and I think Bitwarden has a good track record and you'll be supporting them. Self-hosting is a nice hobby and I think integral part of a free and democratic culture on the internet. But it doesn't have to be every tiny tool and everyone. Do it if you like, otherwise it's fine if you support open source projects by paying a fair price if you want convenience and they offer a good hosted service.
Appreciate the input - that's exactly where my heads at right now. Didn't expect so many answers - really glad I asked, been very interesting reading different folks views on this.
I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I'm not running anything of critical importance on it.
Why not a piece of hardware instead of self hosting, cloud hosting, etc?
What do you mean?
I'm curious why your listed options are all software that runs on the internet as opposed to a piece of hardware that you connect to your devices.
Is that just because this is the self hosting community?
Well partly yes. This is a self hosted community so I asked a self hosted question.
The other part (I.e. why I haven't asked anywhere about hardware solutions) is because I am not aware of a hardware solution that could do what a software solution can do: that is, store all my passwords, credit card details, OTP codes etc and work with any service that requires a password.
If you know of a hardware solution that does the same then by all means share! I am open to alternative ideas as well.
I must have been way out of it late last night. I totally missed that you were asking why people do it and not looking for recommendations. Sorry for the spammy nonsense response to your OP.
To the latter question, I've seen devices that do OTP and FIDO in addition to basically storing arbitrary strings (e.g. your cc number).
I get harassment scolding me for using Lemmy to advertise when I mention any of the products by name, despite having no affiliation with any of them outside of being a user, but they're not hard to find if you look.
No worries, thanks for clarifying.
I've used cloud based services for password managers for work and "self host" my personal stuff. I barely consider it self hosting since I use Keepass and on every machine it's configured to keep a local cached copy of the database but primarily to pull from the database file on my in-home NAS.
Two issues I've had:
Logging into an account on a device currently not on my home network is brutal. I often resort to simply viewing the needed password and painstakingly type it in (and I run with loooooong passwords)
If I add or change a password on a desktop and don't sync my phone before I leave, I get locked out of accounts. Two years rocking this setup it's happened three times, twice I just said meh I don't really need to do this now, a third time I went through account recovery and set a new password from my phone.
Minor complaint:
Sometimes Keepass2Android gets stuck trying to open the remote database and I have to let it sit and timeout (5 minutes!!!) which gets really annoying but happens very infrequently which is why I say just minor complaint
All in all, I find the inconvenience of doing the personal setup so low that to me even a $10 annual subscription is not worth it
Appreciate your perspective thanks for sharing.
Consider shortening your passwords. Random passwords longer than 20 characters is a complete waste of time.
To me 16 is long haha.
I usually end up running with 16 characters since a lot of services reject longer than 20 and as a programmer I just like it when things are a power of two. Back in the Dark Times of remembering passwords my longest was 13 characters so when I started using a password manager setting them that long felt wild to me.
I do have my bank accounts under a 64 character password purely because monkey brain like seeing big security rating in keepass. Entropy go brrrrrrrrrrrr
Haha, yeah 16 is actually pretty long.
I guess I'm just used to being forced 16 characters long passwords at long.
The way I get around the syncing issue is to set my syncthing to sync when my phone is charging so it's very unlikely to not be in sync, or if I change a password on the PC I'll plug my phone into a USB and it syncs straight away.
I also use KeepassDX on Android and never have those issues.
I run a similar setup, but with syncthing as the syncing system. Every time I connect the phone to the charger it just syncs the database and I can even sync it outside the home network. Works like a charm. Worst case you get a sync conflict which is easy to solve.
Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication
Self-hosting removes the risk of somebody compromising Bitwarden’s servers and adding malicious javascript to send off your master password to a bad actor instead of just processing it locally like it’s designed to.
I think the chances of such a breach are vanishingly small. I wonder if I'm right though.
I think anyone capable of pulling off such a feat is not interested in my data, and probably more likely looking for government employee access etc..
Always self-host anything you can (reasonably).
In this case, don't self-host a password vault. Use a locally encrypted password storage app, and keep it in a self-hosted storage solution (which should also be encrypted).
People want to put too much shit online, opens you wide up for attempted hacking (especially if you use what everyone else uses).
Premium features for free. There are no benefits in relying on a third-party
Well 'no benefits' is a bit of a stretch.
Do you mean 2nd party? If not, what is the 3rd party in this situation?
If you do mean 2nd party - you should have a read through this thread, tonnes of benefit to buying these services.
I have bitwarden family SaaS. So I can share password with my group.
I still just use :X with vim on a server I can ssh to.
Would you give me your password database? I promise to encrypt it!
If it was BitWarden where I can see the client side code ... and there wasn't a better option, quite possibly.
I give my ISP and many other places my BitWarden vault all the time and I just trust they're not recording the traffic and trying to decrypt it.
No, because you're not the supplier of a password manager.
A cloud password manager is a database with your passwords hosted on a stranger’s computer. Why wouldn’t I be just as trustworthy as any other stranger on the internet?
If you can't see the difference for yourself, I won't be able to show you.
There is no difference other than a shiny logo and a “contract” that promises you that the random stranger will take care. I promise that I will take care too.
If you still think there is a relevant difference, please tell me. To me, it looks like you don’t fully understand what a password manager stored on other people’s computers does.
Well they have an app for all the platforms i use, customer support, open sourced code, previous and existing customers that have experience and that recommend them freely, a track record of success, a verifiable business address, operations in a country whose legal system I recognise and offers me certain protections, the ability for me to pay using my preferred method of payment, and most important - not some willfully ignorant representative giving fallacious arguments against using a service.