I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
You must log in or register to comment.
Password management is the one thing i don’t plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don’t want to also fuck around with account recovery for my entire digital existence.
Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.
That’s largely why I haven’t self hosted either. But problems can be mitigated:
- regular, automated backups to something else (say, KeePass), encrypted with your master pass and backed up off-site
- host your PW manager on a VPS, or have the VPS ready to deploy a snapshot from offsite backup
- change your master pass regularly - limits the kinds of breaches that can impact you
- randomize usernames - makes it easier to detect a breach, because you can see if any of those were exposed without the org being breached
But honestly, my main reason is that I don’t trust my server to stay up 100%, but I do expect Bitwarden to. I also trust their security audits.
I’m self hosting Vaultwarden and my home server got killed by the hurricane, yet I can still access my passwords just fine on the app because it stores them locally encrypted on my phone from the last time it synced. I just can’t update or change anything until I can bring everything back on.
So, host your own shit you cowards, it’ll be fine.
Bitwardens local cache does not include attachments, though. If you rely on them, you have to rely on the server being available.
I just… don’t see the benefit. I host videos so I can access video content even if my internet goes out, and it’s a lot cheaper than paying for streaming. I host my own documents because I don’t want big tech scraping all my data. I host my own budgeting software, again, because of privacy.
I could host Vaultwarden. I just don’t really see the point, especially when my SO and I have a shared collection, and if that broke, my SO would totally blame me, and I don’t think that’s worth whatever marginal benefits there are to self-hosting.
Maybe I’ll eat my words and Bitwarden will get hacked. But until then, stories like yours further confirm to me that not hosting it is better.
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it’s true that you won’t be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who’s full time job is running those systems and keeping people that aren’t supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you’ve got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe… And mixed in with a lot of other data that’s likely higher priority to target.
My approach to this is as follows:
- the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
- Loss of control of this data would be catastrophic, so I took its security very seriously.
- No one company can be trusted with our data, because they all get hacked or make mistakes at some point.
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
A couple of questions
-
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
-
Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
They do support file storage. I’ve been using that for years for storing small files related to certain accounts an such.
Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.
I’ve apparently been missing this button for several years. Thanks!
Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.
Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.
The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.
I didn’t really consider the possibility of the client being compromised yet, good point.
-
Loss of control of this data would be catastrophic, so I took its security very seriously.
Ask yourself: “If my current system is unavailable: How screwed am I?”
If the answer is anything less than “Not screwed at all!”, then it is time for a backup - regardless of what system you’re using or plan to use.
Fair comment, although due to the distributed nature of our implementation we are unlikely to lose services. All Vaults are stored locally on all devices.
Having said that - the copy of the vault on the Mac is backed up with TimeMachine.
[I’ve been a greybeard sysadmin and use 3,2,1 even at home]
Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication
I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it’s free and I know enough to troubleshoot any problems.
I use a KeePassXC database on a syncthing share and haven’t had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.
One benefit to hosted password vaults over files is that they can use 2FA - you can’t exactly do TOTP with a static file.
(As an aside, I wish more “self hosted” apps were instead “local file and sync friendly” apps instead, exactly because of offline access)
You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass “something that you have and something that you know” test
KeepassXC handles TOTP.
It can generate TOTP codes, but I’m saying that the vault itself can’t be secured with TOTP.
Then the difference is really that someone else is handing the security, right? At the end of the day, there’s an encrypted file somewhere, and a TOTP only protects a particular connection by network.
Sure, but there’s a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.
Why not a piece of hardware instead of self hosting, cloud hosting, etc?
What do you mean?
I’m curious why your listed options are all software that runs on the internet as opposed to a piece of hardware that you connect to your devices.
Is that just because this is the self hosting community?
Well partly yes. This is a self hosted community so I asked a self hosted question.
The other part (I.e. why I haven’t asked anywhere about hardware solutions) is because I am not aware of a hardware solution that could do what a software solution can do: that is, store all my passwords, credit card details, OTP codes etc and work with any service that requires a password.
If you know of a hardware solution that does the same then by all means share! I am open to alternative ideas as well.
I must have been way out of it late last night. I totally missed that you were asking why people do it and not looking for recommendations. Sorry for the spammy nonsense response to your OP.
To the latter question, I’ve seen devices that do OTP and FIDO in addition to basically storing arbitrary strings (e.g. your cc number).
I get harassment scolding me for using Lemmy to advertise when I mention any of the products by name, despite having no affiliation with any of them outside of being a user, but they’re not hard to find if you look.
Regarding benefits for the paid tier (which I use as a sort of donation):
- it’s literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
- What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)
Regarding self-hosting:
I decided against it.- Too much important stuff in there (+400 accounts)
- Too much stuff in there I would need to back up and keep safe. Not in the mood.
- Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
I think you misread my post. I know what the benefits of their paid teir are, because literally read their page.
I was asking why people self host. As you don’t self host…I’m not sure why you’re responding, especially not with passive aggressive language like that.
Didnt feel passive aggresive to me.
And regarding the question why people self host:
More or less the usual reasons (e.g. learning, just4fun, experimenting)
And I gave you the reasons why I decided against it.Do with both informations what you need to do. Keeping it in mind or disregard my opinion/choices as not directly answering your question
If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.
I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It’s not perfect, but it’s better than LP and 1Pass.
The reason you’d want to self-host is so that nobody has access to your data but you. “The cloud” is just someone elses computer"
Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can’t restore it even if you pay them a million €That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that’s on you, your data is a high priority target in a centralized password store… if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it’s kind of a six of one, half dozen of the other.
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.
This is the answer.
I use syncthing to sync between devices.
this is what I do as well, along with file staging so if I corrupt it by accident I don’t lose the entire DB
Currently I have it on my server as grab only, and then normal access on my clients with staging
don’t need to worry about Internet access at all.
For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.
This is what recommend as well. The various KeePasses all to pretty good jobs of merging databases, in case of sync conflicts, and you can utterly ignore whether you’re online or not. Plus, there’s a really fantastic tool, written by a veritable genius of a developer, that lets you use a KeePass DB as a secret service on your desktop.
You delicious bastard! Thanks for the rook tip.
But keepassxc already provides a secret service ootb?
KeePassXC can’t be run in headless mode, and the GUI is tightly coupled to the app. You have to have all of X installed, and have a display running, to run it.
Here’s the runtime dependencies of KeePassXC:
linux-vdso.so.1 libQt5Svg.so.5 libqrencode.so.4 libQt5Concurrent.so.5 libpcsclite.so.1 libargon2.so.1 libQt5Network.so.5 libQt5Widgets.so.5 libbotan-3.so.5 libz.so.1 libminizip.so.1 libQt5DBus.so.5 libusb-1.0.so.0 libQt5X11Extras.so.5 libQt5Gui.so.5 libQt5Core.so.5 libX11.so.6 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6 /lib64/ld-linux-x86-64.so.2 libgssapi_krb5.so.2 libproxy.so.1 libssl.so.3 libcrypto.so.3 libbz2.so.1.0 liblzma.so.5 libsqlite3.so.0 libdbus-1.so.3 libudev.so.1 libGL.so.1 libpng16.so.16 libharfbuzz.so.0 libmd4c.so.0 libsystemd.so.0 libdouble-conversion.so.3 libicui18n.so.75 libicuuc.so.75 libpcre2-16.so.0 libzstd.so.1 libglib-2.0.so.0 libxcb.so.1 libkrb5.so.3 libk5crypto.so.3 libcom_err.so.2 libkrb5support.so.0 libkeyutils.so.1 libresolv.so.2 libpxbackend-1.0.so libgobject-2.0.so.0 libcap.so.2 libGLdispatch.so.0 libGLX.so.0 libfreetype.so.6 libgraphite2.so.3 libicudata.so.75 libpcre2-8.so.0 libXau.so.6 libXdmcp.so.6 libcurl.so.4 libgio-2.0.so.0 libduktape.so.207 libffi.so.8 libbrotlidec.so.1 libnghttp3.so.9 libnghttp2.so.14 libidn2.so.0 libssh2.so.1 libpsl.so.5 libgmodule-2.0.so.0 libmount.so.1 libbrotlicommon.so.1 libunistring.so.5 libblkid.so.1I don’t know why it links to a systemd library. Here are the runtime dependencies of rook:
linux-vdso.so.1 libresolv.so.2 libc.so.6 /lib64/ld-linux-x86-64.so.2Don’t get me wrong: KeePassXC is one of my favorite programs. But don’t leave it running all the time, and it can’t be run on headless systems.
I see, thanks for explaining. So IIUC, rook is intended for headless systems?
Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.
Yes. It has been a while since I moved (whenever the first breach was), but I exported from lastpass and imported to Bitwarden with minimal issue, I think I had to add a column.
Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)
I do exactly this, and use Keepass2Android on my phone and have nextcloud-KeeWeb installed.
Tangentally related - For anyone looking to take over a project, KeeWeb is looking for a new maintainer!
Yeah. I use KeepassXC on my computers and KeepassDX on my phone. All synced with syncthing and it works great.
This is the way. It’s also one of the simplest self-hosted setups you can have. Highly recommend it.
Bitwarden also syncs a local copy to every device it connects to.
I self host Bitwarden and it’s free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.
I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don’t care as much about them as you do!
If you’re going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.
You only have to pay for a license if you need multiple users or want to use their cloud services, I believe.
AFAIK you can have multiple users for free when self-hosting, and the features are essentially the same as the free hosted version. You need to pay if you want to get the premium features or share passwords across multiple users using an organization. Essentially the pricing is the same as the hosted version.
I’d recommend Vaultwarden for a small-scale self-hosted solution. It’s not Bitwarden, but it’s fully API-compatible so you can use all the Bitwarden clients and browser extensions. Self-hosted Bitwarden is quite a bit heavier than Vaultwarden since it’s designed for large-scale usage (like for an entire company of tens of thousands of people)
Thanks that’s a helpful reply
I selfhost vault warden, and in all honesty, it’s just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.
The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it’s fully featured and super easy to deploy the server, ridiculously so.
Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I’d suggest to take the second option, for 2 reasons:
1.- it’s even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive
