I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
Because when whatever company gets a data breach I don’t want my data in the list.
With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.
Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.
Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.
Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.
This was also the most compelling reason for me to consider it.
I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.
I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.
More than any other piece of self-hosted software: backups are important if you’re going to host a password manager.
I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.
As long as you can keep up with that, or a similar process; there’s little concern to me about screwing things up. I’m constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I’ve got a separate backup of the absolutely critical stuff and can easily rebuild.
But, even with the server destroyed and all backups lost, as long as you still have a device that’s previously logged into your password manager; you can unlock it and export the passwords to manually recover.
1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.
You are more likely to screw up your own backups and hosting security than they are.
LastPass said the exact same thing. I won’t be a big target like they will though.
LastPass doesn’t have your password, so it can’t be stolen during a breach.
But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.
https://support.1password.com/secret-key-security/
Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.
For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.
My approach to this is as follows:
- the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
- Loss of control of this data would be catastrophic, so I took its security very seriously.
- No one company can be trusted with our data, because they all get hacked or make mistakes at some point.
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
Loss of control of this data would be catastrophic, so I took its security very seriously.
Ask yourself: “If my current system is unavailable: How screwed am I?”
If the answer is anything less than “Not screwed at all!”, then it is time for a backup - regardless of what system you’re using or plan to use.
Fair comment, although due to the distributed nature of our implementation we are unlikely to lose services. All Vaults are stored locally on all devices.
Having said that - the copy of the vault on the Mac is backed up with TimeMachine.
[I’ve been a greybeard sysadmin and use 3,2,1 even at home]
A couple of questions
-
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
-
Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?
Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.
Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.
The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.
I didn’t really consider the possibility of the client being compromised yet, good point.
Lastpass was hacked and might have lost control of some data https://blog.lastpass.com/posts/2022/12/notice-of-security-incident
1Pass hasn’t been hacked directly, but they were affected by the Okta https://blog.1password.com/okta-incident/
(One of the most common vectors for hacks is through your vendors - see Target https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)
Dropbox had an unauthorized access, but the seemed on top of it. https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
Dropbox also has had a more significant data breech, but a while ago. https://www.twingate.com/blog/tips/dropbox-data-breach#
Overview of all password manager breeches! https://bestreviews.net/which-password-managers-have-been-hacked/
How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?
They do support file storage. I’ve been using that for years for storing small files related to certain accounts an such.
Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.
I’ve apparently been missing this button for several years. Thanks!
-
After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.
And I have the encrypted database in multiple places should one go tits up.
Very interesting. How secure is this against having a compromised device? I‘m really paranoid that someone would somehow have a backdoor into my systems and snatch stuff I host on my own
Not the one who wrote the command: The Keepass DB encryption is afaik pretty damn good. So that wouldn’t be an attack vector I would worry about. Also and those are just my five cents and I might probably be ripped in pieces by some it sec people, I wouldn’t fear too much about a backdoor being put into your systems when self hosting. If someone actually does this it’s most probably gonna be some actor related to a government that targets you for whatever reason and at least then most of us wouldn’t stand a chance to keep all of their IT devices save, especially when they could stop you on the streets and get physical access to some devices. On the other hand hosted services with thousands of customers are also a lucrative target for cyber crime and which you as a self hosting individual are most probably not. This reduces the possible threats quite a bit, at least if you keep up some default safety stuff to not just let any wannabe hacker from wherever into your self hosted services that would be happy if they can get a 5 thousands dollars/ euros or whatever from you.
If it’s the system with the (locked) KeePass database on it, you should be fine. The encryption can be tweaked so that unlocking the database takes a second even on modern systems. Doesn’t affect you much, but someone trying to brute-force the password will have a hard time. It also supports keyfiles for even more security.
If somebody infiltrates your end user device, no password tool will be safe once you unlock it.
- Because I don’t trust companies to hold onto passwords.
- It syncs. I don’t need live access to my home.
I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it’s free and I know enough to troubleshoot any problems.
I’m on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn’t setup as well as it could be for mission critical software/uptime. I’m a hobbiest with limited time to spend on this hobby and I can’t spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don’t trust my own OS to be fully secure and I don’t trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I’ve seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don’t think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.
I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it’s easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.
Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.
Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)
I do exactly this, and use Keepass2Android on my phone and have nextcloud-KeeWeb installed.
Tangentally related - For anyone looking to take over a project, KeeWeb is looking for a new maintainer!
Bitwarden also syncs a local copy to every device it connects to.
I use a KeePassXC database on a syncthing share and haven’t had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.
One benefit to hosted password vaults over files is that they can use 2FA - you can’t exactly do TOTP with a static file.
(As an aside, I wish more “self hosted” apps were instead “local file and sync friendly” apps instead, exactly because of offline access)
KeepassXC handles TOTP.
It can generate TOTP codes, but I’m saying that the vault itself can’t be secured with TOTP.
Then the difference is really that someone else is handing the security, right? At the end of the day, there’s an encrypted file somewhere, and a TOTP only protects a particular connection by network.
Sure, but there’s a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.
You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass “something that you have and something that you know” test
I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.
Could one not theoretically self-host a PW manager that also keeps a local copy of the database for times with no internet?
Idk if that doesn’t exist yet or what, and there are plenty of other reasons against self-hosting a PW manager but that seems like a logical work-around for that particular problem. Keep your access when the internet is down, and keep your data out of third party control.
Bitwarden does exactly that. It will mostly work with no server connection.
Absolutely, in fact I’d be willing to bet vaultwarden does just that. That’s a good point.
Yep, it does!
Regarding benefits for the paid tier (which I use as a sort of donation):
- it’s literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
- What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)
Regarding self-hosting:
I decided against it.- Too much important stuff in there (+400 accounts)
- Too much stuff in there I would need to back up and keep safe. Not in the mood.
- Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
I think you misread my post. I know what the benefits of their paid teir are, because literally read their page.
I was asking why people self host. As you don’t self host…I’m not sure why you’re responding, especially not with passive aggressive language like that.
Didnt feel passive aggresive to me.
And regarding the question why people self host:
More or less the usual reasons (e.g. learning, just4fun, experimenting)
And I gave you the reasons why I decided against it.Do with both informations what you need to do. Keeping it in mind or disregard my opinion/choices as not directly answering your question
I use KeepassXC
I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.
If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.
Do you recall the rational for 1password?
I can imagine the enterprise/business options are better than bitwarden but as an individual user I don’t need that and would only have the individual plan. It’s a little over twice the price of BitWarden and while every company I’ve worked at in recent years has had 1password i don’t see it mentioned on here anywhere near as often as BitWarden.
I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.
LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.
Using vault warden because I read too much about errors in implementing or design in services like LastPass or (though encrypted) vaults being stolen.
Bit warden client on Android lets you sync (ie LAN) and then use it as a read only database while on the go without a connection.
I recently added tailscale and when I really need a service from home I just flick it on on my phone and I am good
Works like a charm.
I recently added tailscale.
How to set up Vaultwarden with tailscale ? Any pointer ?
I’ve been using VW for over a year but I’m double NAT’d so I set it up with CF Tunnel with my domain and while I’m confident in my master ps I would prefer TS.
I was lazy and since I don’t need it very often I didn’t really set up anything besides installing the clients on my devices.
That gives you the possibility to connect to your server via the hostname (definable with tailscale) when you connect your device like Our phone with the TS app. Edit the URL in bit warden and you are done.
I access my Vaultwarden server via Cloudflared tunnel while I’m away from home network.