I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
You must log in or register to comment.
I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it’s easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.
Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.
After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.
And I have the encrypted database in multiple places should one go tits up.
Very interesting. How secure is this against having a compromised device? I‘m really paranoid that someone would somehow have a backdoor into my systems and snatch stuff I host on my own
I pay Bitwarden the tenner a year as I have no reason to distrust them and they’re definitely providing a more reliable, securer service than I can self-host.
I also do an encrypted export once per week and store that export to an encrypted cloud based service and an encrypted USB stick. Takes 2 minutes.
I access my Vaultwarden server via Cloudflared tunnel while I’m away from home network.
Using vault warden because I read too much about errors in implementing or design in services like LastPass or (though encrypted) vaults being stolen.
Bit warden client on Android lets you sync (ie LAN) and then use it as a read only database while on the go without a connection.
I recently added tailscale and when I really need a service from home I just flick it on on my phone and I am good
Works like a charm.
My approach to this is as follows:
- the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
- Loss of control of this data would be catastrophic, so I took its security very seriously.
- No one company can be trusted with our data, because they all get hacked or make mistakes at some point.
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
Loss of control of this data would be catastrophic, so I took its security very seriously.
Ask yourself: “If my current system is unavailable: How screwed am I?”
If the answer is anything less than “Not screwed at all!”, then it is time for a backup - regardless of what system you’re using or plan to use.
Fair comment, although due to the distributed nature of our implementation we are unlikely to lose services. All Vaults are stored locally on all devices.
Having said that - the copy of the vault on the Mac is backed up with TimeMachine.
[I’ve been a greybeard sysadmin and use 3,2,1 even at home]
A couple of questions
-
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
-
Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?
Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.
Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.
The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.
I didn’t really consider the possibility of the client being compromised yet, good point.
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
They do support file storage. I’ve been using that for years for storing small files related to certain accounts an such.
Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.
I’ve apparently been missing this button for several years. Thanks!
-
Why not a piece of hardware instead of self hosting, cloud hosting, etc?
What do you mean?
I’m curious why your listed options are all software that runs on the internet as opposed to a piece of hardware that you connect to your devices.
Is that just because this is the self hosting community?
Well partly yes. This is a self hosted community so I asked a self hosted question.
The other part (I.e. why I haven’t asked anywhere about hardware solutions) is because I am not aware of a hardware solution that could do what a software solution can do: that is, store all my passwords, credit card details, OTP codes etc and work with any service that requires a password.
If you know of a hardware solution that does the same then by all means share! I am open to alternative ideas as well.
Password management is the one thing i don’t plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don’t want to also fuck around with account recovery for my entire digital existence.
Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.
That’s largely why I haven’t self hosted either. But problems can be mitigated:
- regular, automated backups to something else (say, KeePass), encrypted with your master pass and backed up off-site
- host your PW manager on a VPS, or have the VPS ready to deploy a snapshot from offsite backup
- change your master pass regularly - limits the kinds of breaches that can impact you
- randomize usernames - makes it easier to detect a breach, because you can see if any of those were exposed without the org being breached
But honestly, my main reason is that I don’t trust my server to stay up 100%, but I do expect Bitwarden to. I also trust their security audits.
I’m self hosting Vaultwarden and my home server got killed by the hurricane, yet I can still access my passwords just fine on the app because it stores them locally encrypted on my phone from the last time it synced. I just can’t update or change anything until I can bring everything back on.
So, host your own shit you cowards, it’ll be fine.
Bitwardens local cache does not include attachments, though. If you rely on them, you have to rely on the server being available.
I just… don’t see the benefit. I host videos so I can access video content even if my internet goes out, and it’s a lot cheaper than paying for streaming. I host my own documents because I don’t want big tech scraping all my data. I host my own budgeting software, again, because of privacy.
I could host Vaultwarden. I just don’t really see the point, especially when my SO and I have a shared collection, and if that broke, my SO would totally blame me, and I don’t think that’s worth whatever marginal benefits there are to self-hosting.
Maybe I’ll eat my words and Bitwarden will get hacked. But until then, stories like yours further confirm to me that not hosting it is better.
- Because I don’t trust companies to hold onto passwords.
- It syncs. I don’t need live access to my home.
Because when whatever company gets a data breach I don’t want my data in the list.
With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.
Ok, but this doesn’t explain why you would choose to self-host VaultWarden rather than using BitWarden.
Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.
Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.
Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.
1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.
You are more likely to screw up your own backups and hosting security than they are.
LastPass said the exact same thing. I won’t be a big target like they will though.
This was also the most compelling reason for me to consider it.
I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.
I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.
More than any other piece of self-hosted software: backups are important if you’re going to host a password manager.
I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.
As long as you can keep up with that, or a similar process; there’s little concern to me about screwing things up. I’m constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I’ve got a separate backup of the absolutely critical stuff and can easily rebuild.
But, even with the server destroyed and all backups lost, as long as you still have a device that’s previously logged into your password manager; you can unlock it and export the passwords to manually recover.
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it’s true that you won’t be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who’s full time job is running those systems and keeping people that aren’t supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you’ve got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe… And mixed in with a lot of other data that’s likely higher priority to target.
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.
this is what I do as well, along with file staging so if I corrupt it by accident I don’t lose the entire DB
Currently I have it on my server as grab only, and then normal access on my clients with staging
don’t need to worry about Internet access at all.
For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.
This is what recommend as well. The various KeePasses all to pretty good jobs of merging databases, in case of sync conflicts, and you can utterly ignore whether you’re online or not. Plus, there’s a really fantastic tool, written by a veritable genius of a developer, that lets you use a KeePass DB as a secret service on your desktop.
You delicious bastard! Thanks for the rook tip.
This is the answer.
I use syncthing to sync between devices.
I’m on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn’t setup as well as it could be for mission critical software/uptime. I’m a hobbiest with limited time to spend on this hobby and I can’t spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don’t trust my own OS to be fully secure and I don’t trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I’ve seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don’t think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.
vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.
Fully agreed.
Accessing Vaultwarden through a VPN gives me peace of mind that it can’t be attacked.
Another great thing about Bitwarden is that it’s possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.
A VPN? you still need a reverse proxy/domain to use it don’t you?
Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.
The domain points to a local IP, so I can’t access it without the VPN.
Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.
You can forward a Wireguard port, exposing it to the internet.
Accessing Vaultwarden through a VPN
Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.
Vaultwarden is one of the few services I’d actually trust to be secure, so I wouldn’t worry if you update timely to new versions.
I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I’m not running anything of critical importance on it.
