I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • april@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Because when whatever company gets a data breach I don’t want my data in the list.

    With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.

    • slackj_87@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.

      Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.

      Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.

    • markstos@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

      You are more likely to screw up your own backups and hosting security than they are.

      • april@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        LastPass said the exact same thing. I won’t be a big target like they will though.

  • HamSwagwich
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It’s not perfect, but it’s better than LP and 1Pass.

    The reason you’d want to self-host is so that nobody has access to your data but you. “The cloud” is just someone elses computer"

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Bitwarden does external audits with reports and stores in zero knowledge storage.
      Loose your master password and you are fucked. They can’t restore it even if you pay them a million €

      • HamSwagwich
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that’s on you, your data is a high priority target in a centralized password store… if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it’s kind of a six of one, half dozen of the other.

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Fair points.
          Considering bitwarden is zero knowledge the data in itself is for now ‘safe’ enough to me.
          Though I could be subject to IP/vulnerability scans on my home connection or accidentaly forwarding stuff that puts the security at risk and getting compromised (Seriously…The stuff I could connect and control via VNC I found on shodan was very creepy and frightening).
          Nah mate. Plus maintaining the data I already have is enough for me. Bitwarden would be way too much. But maybe in the future once I figure Linux and docker more out :)

  • Jeena@piefed.jeena.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.

  • Darorad@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you’d still have access to all the accounts you’re saving in it.

  • SK@hub.utsukta.org
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Fully agreed.

      Accessing Vaultwarden through a VPN gives me peace of mind that it can’t be attacked.

      Another great thing about Bitwarden is that it’s possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.

        • Chewy@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.

          The domain points to a local IP, so I can’t access it without the VPN.

          Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.

  • Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    I recommend against hosting a password manager yourself.

    The main reason is self hosted systems require maintenance to patch vulnerabilities. While it’s true that you won’t be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).

    Using professional hosting means just that, professional hosting with people who’s full time job is running those systems and keeping people that aren’t supposed to be there out.

    Plus, you always have the encryption of the binary blob itself to fall back on (which if you’ve got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe… And mixed in with a lot of other data that’s likely higher priority to target.

    • 52fighters@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      There’s self-hosting that’s low risk but does remove some convenience. For example, I use a offline password manager. I keep a Veracrypt container on my computer that hosts that and a few other important files. When I make enough updates, I’ll throw a copy into Dropbox so I can save access it elsewhere. The disadvantage is that I cannot update the primary version from one of those other devices but, for me, that’s not really an issue.

  • rhabarba@feddit.org
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    2 months ago

    My questions are to those of you who self-host, firstly: why?

    Would you give me your password database? I promise to encrypt it!

      • rhabarba@feddit.org
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        2 months ago

        A cloud password manager is a database with your passwords hosted on a stranger’s computer. Why wouldn’t I be just as trustworthy as any other stranger on the internet?

          • rhabarba@feddit.org
            link
            fedilink
            English
            arrow-up
            0
            arrow-down
            1
            ·
            2 months ago

            There is no difference other than a shiny logo and a “contract” that promises you that the random stranger will take care. I promise that I will take care too.

            If you still think there is a relevant difference, please tell me. To me, it looks like you don’t fully understand what a password manager stored on other people’s computers does.