I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • april@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    ·
    1 month ago

    Because when whatever company gets a data breach I don’t want my data in the list.

    With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.

    • slackj_87@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 month ago

      Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.

      Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.

      Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.

    • el_abuelo@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      This was also the most compelling reason for me to consider it.

      I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.

      • april@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.

      • Darkassassin07@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 month ago

        More than any other piece of self-hosted software: backups are important if you’re going to host a password manager.

        I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.

        As long as you can keep up with that, or a similar process; there’s little concern to me about screwing things up. I’m constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I’ve got a separate backup of the absolutely critical stuff and can easily rebuild.

        But, even with the server destroyed and all backups lost, as long as you still have a device that’s previously logged into your password manager; you can unlock it and export the passwords to manually recover.

    • markstos@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 month ago

      1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

      You are more likely to screw up your own backups and hosting security than they are.

      • april@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 month ago

        LastPass said the exact same thing. I won’t be a big target like they will though.

        • markstos@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          LastPass doesn’t have your password, so it can’t be stolen during a breach.

          But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.

          https://support.1password.com/secret-key-security/

          Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.

          For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.

  • sibannac@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 month ago

    I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it’s free and I know enough to troubleshoot any problems.

  • ColonelThirtyTwo@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    1 month ago

    I use a KeePassXC database on a syncthing share and haven’t had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.

    One benefit to hosted password vaults over files is that they can use 2FA - you can’t exactly do TOTP with a static file.

    (As an aside, I wish more “self hosted” apps were instead “local file and sync friendly” apps instead, exactly because of offline access)

    • pound_heap@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 month ago

      You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass “something that you have and something that you know” test

        • milicent_bystandr@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 month ago

          Then the difference is really that someone else is handing the security, right? At the end of the day, there’s an encrypted file somewhere, and a TOTP only protects a particular connection by network.

          • ColonelThirtyTwo@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 month ago

            Sure, but there’s a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.

  • Appoxo@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    1 month ago

    Regarding benefits for the paid tier (which I use as a sort of donation):

    1. it’s literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
    2. What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)

    Regarding self-hosting:
    I decided against it.

    1. Too much important stuff in there (+400 accounts)
    2. Too much stuff in there I would need to back up and keep safe. Not in the mood.
    3. Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
    • el_abuelo@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      14
      ·
      1 month ago

      I think you misread my post. I know what the benefits of their paid teir are, because literally read their page.

      I was asking why people self host. As you don’t self host…I’m not sure why you’re responding, especially not with passive aggressive language like that.

      • Appoxo@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        1 month ago

        Didnt feel passive aggresive to me.
        And regarding the question why people self host:
        More or less the usual reasons (e.g. learning, just4fun, experimenting)
        And I gave you the reasons why I decided against it.

        Do with both informations what you need to do. Keeping it in mind or disregard my opinion/choices as not directly answering your question

  • electric_nan@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 month ago

    Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)

  • KairuByte@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 month ago

    I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.

    • y0kai@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Could one not theoretically self-host a PW manager that also keeps a local copy of the database for times with no internet?

      Idk if that doesn’t exist yet or what, and there are plenty of other reasons against self-hosting a PW manager but that seems like a logical work-around for that particular problem. Keep your access when the internet is down, and keep your data out of third party control.

  • Jeena@piefed.jeena.net
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 month ago

    I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.

        • KeePassXC can’t be run in headless mode, and the GUI is tightly coupled to the app. You have to have all of X installed, and have a display running, to run it.

          Here’s the runtime dependencies of KeePassXC:

          linux-vdso.so.1
          libQt5Svg.so.5
          libqrencode.so.4
          libQt5Concurrent.so.5
          libpcsclite.so.1
          libargon2.so.1
          libQt5Network.so.5
          libQt5Widgets.so.5
          libbotan-3.so.5
          libz.so.1
          libminizip.so.1
          libQt5DBus.so.5
          libusb-1.0.so.0
          libQt5X11Extras.so.5
          libQt5Gui.so.5
          libQt5Core.so.5
          libX11.so.6
          libstdc++.so.6
          libm.so.6
          libgcc_s.so.1
          libc.so.6
          /lib64/ld-linux-x86-64.so.2
          libgssapi_krb5.so.2
          libproxy.so.1
          libssl.so.3
          libcrypto.so.3
          libbz2.so.1.0
          liblzma.so.5
          libsqlite3.so.0
          libdbus-1.so.3
          libudev.so.1
          libGL.so.1
          libpng16.so.16
          libharfbuzz.so.0
          libmd4c.so.0
          libsystemd.so.0
          libdouble-conversion.so.3
          libicui18n.so.75
          libicuuc.so.75
          libpcre2-16.so.0
          libzstd.so.1
          libglib-2.0.so.0
          libxcb.so.1
          libkrb5.so.3
          libk5crypto.so.3
          libcom_err.so.2
          libkrb5support.so.0
          libkeyutils.so.1
          libresolv.so.2
          libpxbackend-1.0.so
          libgobject-2.0.so.0
          libcap.so.2
          libGLdispatch.so.0
          libGLX.so.0
          libfreetype.so.6
          libgraphite2.so.3
          libicudata.so.75
          libpcre2-8.so.0
          libXau.so.6
          libXdmcp.so.6
          libcurl.so.4
          libgio-2.0.so.0
          libduktape.so.207
          libffi.so.8
          libbrotlidec.so.1
          libnghttp3.so.9
          libnghttp2.so.14
          libidn2.so.0
          libssh2.so.1
          libpsl.so.5
          libgmodule-2.0.so.0
          libmount.so.1
          libbrotlicommon.so.1
          libunistring.so.5
          libblkid.so.1
          

          I don’t know why it links to a systemd library. Here are the runtime dependencies of rook:

          linux-vdso.so.1
          libresolv.so.2
          libc.so.6
          /lib64/ld-linux-x86-64.so.2
          

          Don’t get me wrong: KeePassXC is one of my favorite programs. But don’t leave it running all the time, and it can’t be run on headless systems.

            • I use it for everything, but then, I wrote it. All of the desktop secret service tools have desktop dependencies (Gnome’s uses Gnome libraries, KDE’s pulls some KDE libraries) and run through DBUS; since I don’t use a DE, it’s a fair bit of unnecessary bloat. And I don’t like GUI apps that just hang around in the background consuming resources. I open KeePassXC when I need to make changes to the DB, and then I shut it down. Otherwise, it hangs out in my task bar, distracting me.

              Rook is for people who want to run on headless systems, or want to minimize resources usage, or don’t use a desktop environment (such as Gnome or KDE), or don’t run DBUS, or don’t run systemd. It’s for people who don’t want a bunch of applications running in the background in their task bar. KeePassXC providing a secret service is great, but it’s overkill if that’s most of what it’s providing for you, most of the time.

              I don’t think took is for everyone, or even for most people. It’s for people who like to live mostly in the command line, or even in VTs.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 month ago

      don’t need to worry about Internet access at all.

      For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.

    • Pika@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 month ago

      this is what I do as well, along with file staging so if I corrupt it by accident I don’t lose the entire DB

      Currently I have it on my server as grab only, and then normal access on my clients with staging

  • hubobes@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 month ago

    If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.

  • schizo@forum.uncomfortable.business
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 month ago

    I’m self-hosting a VaultWarden install, and I’m doing it because uh, well, at this point I’ve basically ended up hosting every service I use online at this point.

    Though, for most people, there’s probably no real reason to self-host their own password manager, though please stop using Lastpass because they’ve shown that they’re utterly incompetent repeatedly at this point.

    • el_abuelo@programming.devOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 month ago

      Yeah I will likely move away.

      My understanding with lastpass was that they had a breach but only encrypted data was stolen? What did I miss?

      • schizo@forum.uncomfortable.business
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        It was, IIRC, 3 separate breaches, plus a situation where the default KDF iterations on the vault was set to low as to actually make said encrypted data crackable.

        The last I don’t really blame them for necessarily, but rather shows that they weren’t paying any attention to what their platform would actually protect against and what the threat landscape was and thus they never increased it and worse, when they did, they didn’t force older vaults to increase it because it would be mildly inconvenient to users.

        Basically, just a poor showing of data stewardship and if there’s ONE thing you want your password manager to be good at, it’s that.

        • el_abuelo@programming.devOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Yeah that tracks, tbh I had set mine higher so wasn’t an issue for me - but their UX, particularly on Android, is appalling.

  • Saiwal@hub.utsukta.org
    link
    fedilink
    arrow-up
    5
    ·
    1 month ago

    vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Fully agreed.

      Accessing Vaultwarden through a VPN gives me peace of mind that it can’t be attacked.

      Another great thing about Bitwarden is that it’s possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 month ago

        Accessing Vaultwarden through a VPN

        Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.

        • Chewy@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          Vaultwarden is one of the few services I’d actually trust to be secure, so I wouldn’t worry if you update timely to new versions.

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 month ago

            I hope it gets security audited one day, like Bitwarden was.

            • Chewy@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 month ago

              Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.

              Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.

              They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).

              • dan@upvote.au
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 month ago

                That’s a good point. I didn’t consider the fact that all the encryption is done client-side, so that’s the most important part to audit (which Bitwarden has already done).

        • Chewy@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 month ago

          Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.

          The domain points to a local IP, so I can’t access it without the VPN.

          Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.

          • kratoz29@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            Hmm, interesting, how would I start doing this?

            I use a Synology NAS BTW, so it already gives me a Synology subdomain to mess around.

  • mbirth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.

    And I have the encrypted database in multiple places should one go tits up.

    • shaserlark@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Very interesting. How secure is this against having a compromised device? I‘m really paranoid that someone would somehow have a backdoor into my systems and snatch stuff I host on my own

      • ture@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        Not the one who wrote the command: The Keepass DB encryption is afaik pretty damn good. So that wouldn’t be an attack vector I would worry about. Also and those are just my five cents and I might probably be ripped in pieces by some it sec people, I wouldn’t fear too much about a backdoor being put into your systems when self hosting. If someone actually does this it’s most probably gonna be some actor related to a government that targets you for whatever reason and at least then most of us wouldn’t stand a chance to keep all of their IT devices save, especially when they could stop you on the streets and get physical access to some devices. On the other hand hosted services with thousands of customers are also a lucrative target for cyber crime and which you as a self hosting individual are most probably not. This reduces the possible threats quite a bit, at least if you keep up some default safety stuff to not just let any wannabe hacker from wherever into your self hosted services that would be happy if they can get a 5 thousands dollars/ euros or whatever from you.

      • mbirth@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        If it’s the system with the (locked) KeePass database on it, you should be fine. The encryption can be tweaked so that unlocking the database takes a second even on modern systems. Doesn’t affect you much, but someone trying to brute-force the password will have a hard time. It also supports keyfiles for even more security.

        If somebody infiltrates your end user device, no password tool will be safe once you unlock it.

  • Darorad@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you’d still have access to all the accounts you’re saving in it.

  • HamSwagwich@showeq.com
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It’s not perfect, but it’s better than LP and 1Pass.

    The reason you’d want to self-host is so that nobody has access to your data but you. “The cloud” is just someone elses computer"

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Bitwarden does external audits with reports and stores in zero knowledge storage.
      Loose your master password and you are fucked. They can’t restore it even if you pay them a million €

      • HamSwagwich@showeq.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that’s on you, your data is a high priority target in a centralized password store… if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it’s kind of a six of one, half dozen of the other.

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Fair points.
          Considering bitwarden is zero knowledge the data in itself is for now ‘safe’ enough to me.
          Though I could be subject to IP/vulnerability scans on my home connection or accidentaly forwarding stuff that puts the security at risk and getting compromised (Seriously…The stuff I could connect and control via VNC I found on shodan was very creepy and frightening).
          Nah mate. Plus maintaining the data I already have is enough for me. Bitwarden would be way too much. But maybe in the future once I figure Linux and docker more out :)

    • nemno@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Im curious what makes it better than 1pass? Ive used a few of these, and my experience with 1pass was probably the best. Well, except for the price…

  • Zorsith@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Password management is the one thing i don’t plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don’t want to also fuck around with account recovery for my entire digital existence.

    Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 month ago

      That’s largely why I haven’t self hosted either. But problems can be mitigated:

      • regular, automated backups to something else (say, KeePass), encrypted with your master pass and backed up off-site
      • host your PW manager on a VPS, or have the VPS ready to deploy a snapshot from offsite backup
      • change your master pass regularly - limits the kinds of breaches that can impact you
      • randomize usernames - makes it easier to detect a breach, because you can see if any of those were exposed without the org being breached

      But honestly, my main reason is that I don’t trust my server to stay up 100%, but I do expect Bitwarden to. I also trust their security audits.

      • BaroqueInMind@lemmy.one
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        I’m self hosting Vaultwarden and my home server got killed by the hurricane, yet I can still access my passwords just fine on the app because it stores them locally encrypted on my phone from the last time it synced. I just can’t update or change anything until I can bring everything back on.

        So, host your own shit you cowards, it’ll be fine.

        • aksdb@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Bitwardens local cache does not include attachments, though. If you rely on them, you have to rely on the server being available.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          I just… don’t see the benefit. I host videos so I can access video content even if my internet goes out, and it’s a lot cheaper than paying for streaming. I host my own documents because I don’t want big tech scraping all my data. I host my own budgeting software, again, because of privacy.

          I could host Vaultwarden. I just don’t really see the point, especially when my SO and I have a shared collection, and if that broke, my SO would totally blame me, and I don’t think that’s worth whatever marginal benefits there are to self-hosting.

          Maybe I’ll eat my words and Bitwarden will get hacked. But until then, stories like yours further confirm to me that not hosting it is better.