this post was submitted on 08 Oct 2024
165 points (96.6% liked)

Selfhosted

39640 readers
326 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
165
Why self host a password manager? (programming.dev)
submitted 1 week ago by el_abuelo@programming.dev to c/selfhosted@lemmy.world
158 comments fedilink hide all child comments
 

I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.

top 50 comments
sorted by: hot top controversial new old
[–] sibannac@lemmy.world 21 points 6 days ago

I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it's free and I know enough to troubleshoot any problems.

[–] ColonelThirtyTwo@lemmy.world 16 points 6 days ago* (last edited 6 days ago) (2 children)

I use a KeePassXC database on a syncthing share and haven't had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.

One benefit to hosted password vaults over files is that they can use 2FA - you can't exactly do TOTP with a static file.

(As an aside, I wish more "self hosted" apps were instead "local file and sync friendly" apps instead, exactly because of offline access)

[–] pound_heap@lemm.ee 3 points 5 days ago

You can do 2FA with Keepass, just not TOTP. Add a key file or a hardware key on top of your master password and you pass "something that you have and something that you know" test

[–] milicent_bystandr@lemm.ee 2 points 6 days ago (1 children)

KeepassXC handles TOTP.

[–] ColonelThirtyTwo@lemmy.world 4 points 6 days ago (1 children)

It can generate TOTP codes, but I'm saying that the vault itself can't be secured with TOTP.

[–] milicent_bystandr@lemm.ee 2 points 6 days ago (1 children)

Then the difference is really that someone else is handing the security, right? At the end of the day, there's an encrypted file somewhere, and a TOTP only protects a particular connection by network.

[–] ColonelThirtyTwo@lemmy.world 2 points 6 days ago* (last edited 6 days ago)

Sure, but there's a big difference between a vault copied and synced on all of my mobile devices that I could easily lose versus only on a server behind locked doors.

[–] Darorad@lemmy.world 4 points 5 days ago

If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you'd still have access to all the accounts you're saving in it.

[–] Appoxo@lemmy.dbzer0.com 10 points 6 days ago (1 children)

Regarding benefits for the paid tier (which I use as a sort of donation):

  1. it's literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
  2. What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)

Regarding self-hosting:
I decided against it.

  1. Too much important stuff in there (+400 accounts)
  2. Too much stuff in there I would need to back up and keep safe. Not in the mood.
  3. Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
[–] hubobes@sh.itjust.works 7 points 6 days ago* (last edited 6 days ago)

If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.

[–] HamSwagwich@showeq.com 4 points 6 days ago (2 children)

I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.

The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"

[–] Appoxo@lemmy.dbzer0.com 2 points 6 days ago (1 children)

Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can't restore it even if you pay them a million €

[–] HamSwagwich@showeq.com 2 points 6 days ago (1 children)

That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that's on you, your data is a high priority target in a centralized password store... if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it's kind of a six of one, half dozen of the other.

[–] Appoxo@lemmy.dbzer0.com 1 points 6 days ago

Fair points.
Considering bitwarden is zero knowledge the data in itself is for now 'safe' enough to me.
Though I could be subject to IP/vulnerability scans on my home connection or accidentaly forwarding stuff that puts the security at risk and getting compromised (Seriously...The stuff I could connect and control via VNC I found on shodan was very creepy and frightening).
Nah mate. Plus maintaining the data I already have is enough for me. Bitwarden would be way too much. But maybe in the future once I figure Linux and docker more out :)

[–] nemno@lemmy.world 1 points 6 days ago

Im curious what makes it better than 1pass? Ive used a few of these, and my experience with 1pass was probably the best. Well, except for the price..

[–] BCsven@lemmy.ca 2 points 6 days ago

Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication

[–] april@lemmy.world 121 points 1 week ago (8 children)

Because when whatever company gets a data breach I don't want my data in the list.

With bitwarden If your server goes down then all your devices still have a local copy of your database you just can't add new passwords until the server is back up.

load more comments (8 replies)
[–] jeena@piefed.jeena.net 58 points 1 week ago (10 children)

I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don't need to worry about Internet access at all.

[–] teawrecks@sopuli.xyz 1 points 6 days ago

Agreed with using keepass. If you're one person accessing your passwords, there's no reason you need a service running all the time to access your password db. It's just an encrypted file that needs to be synced across devices.

However, if you make frequent use of secure password sharing features of lastpass/bitwarden/etc, then that's another story. Trying to orchestrate that using separate files would be a headache. Use a service (even if self-hosted).

load more comments (9 replies)
[–] sk@hub.utsukta.org 33 points 1 week ago (13 children)

vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.

load more comments (13 replies)
[–] schizo@forum.uncomfortable.business 27 points 1 week ago (5 children)

I'm self-hosting a VaultWarden install, and I'm doing it because uh, well, at this point I've basically ended up hosting every service I use online at this point.

Though, for most people, there's probably no real reason to self-host their own password manager, though please stop using Lastpass because they've shown that they're utterly incompetent repeatedly at this point.

load more comments (5 replies)
[–] Zorsith@lemmy.blahaj.zone 23 points 1 week ago (4 children)

Password management is the one thing i don't plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don't want to also fuck around with account recovery for my entire digital existence.

Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.

load more comments (4 replies)
load more comments
view more: next ›