I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
You must log in or register to comment.
Because when whatever company gets a data breach I don’t want my data in the list.
With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.
This was also the most compelling reason for me to consider it.
I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.
More than any other piece of self-hosted software: backups are important if you’re going to host a password manager.
I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.
As long as you can keep up with that, or a similar process; there’s little concern to me about screwing things up. I’m constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I’ve got a separate backup of the absolutely critical stuff and can easily rebuild.
But, even with the server destroyed and all backups lost, as long as you still have a device that’s previously logged into your password manager; you can unlock it and export the passwords to manually recover.
I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.
Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.
Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.
Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.
1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.
You are more likely to screw up your own backups and hosting security than they are.
LastPass said the exact same thing. I won’t be a big target like they will though.
LastPass doesn’t have your password, so it can’t be stolen during a breach.
But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.
https://support.1password.com/secret-key-security/
Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.
For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.
I use KeePassXC and use syncthing to sync the database to each devise I own. This way I always have the newest version if the database everywhere and don’t need to worry about Internet access at all.
This is what recommend as well. The various KeePasses all to pretty good jobs of merging databases, in case of sync conflicts, and you can utterly ignore whether you’re online or not. Plus, there’s a really fantastic tool, written by a veritable genius of a developer, that lets you use a KeePass DB as a secret service on your desktop.
You delicious bastard! Thanks for the rook tip.
But keepassxc already provides a secret service ootb?
KeePassXC can’t be run in headless mode, and the GUI is tightly coupled to the app. You have to have all of X installed, and have a display running, to run it.
Here’s the runtime dependencies of KeePassXC:
linux-vdso.so.1 libQt5Svg.so.5 libqrencode.so.4 libQt5Concurrent.so.5 libpcsclite.so.1 libargon2.so.1 libQt5Network.so.5 libQt5Widgets.so.5 libbotan-3.so.5 libz.so.1 libminizip.so.1 libQt5DBus.so.5 libusb-1.0.so.0 libQt5X11Extras.so.5 libQt5Gui.so.5 libQt5Core.so.5 libX11.so.6 libstdc++.so.6 libm.so.6 libgcc_s.so.1 libc.so.6 /lib64/ld-linux-x86-64.so.2 libgssapi_krb5.so.2 libproxy.so.1 libssl.so.3 libcrypto.so.3 libbz2.so.1.0 liblzma.so.5 libsqlite3.so.0 libdbus-1.so.3 libudev.so.1 libGL.so.1 libpng16.so.16 libharfbuzz.so.0 libmd4c.so.0 libsystemd.so.0 libdouble-conversion.so.3 libicui18n.so.75 libicuuc.so.75 libpcre2-16.so.0 libzstd.so.1 libglib-2.0.so.0 libxcb.so.1 libkrb5.so.3 libk5crypto.so.3 libcom_err.so.2 libkrb5support.so.0 libkeyutils.so.1 libresolv.so.2 libpxbackend-1.0.so libgobject-2.0.so.0 libcap.so.2 libGLdispatch.so.0 libGLX.so.0 libfreetype.so.6 libgraphite2.so.3 libicudata.so.75 libpcre2-8.so.0 libXau.so.6 libXdmcp.so.6 libcurl.so.4 libgio-2.0.so.0 libduktape.so.207 libffi.so.8 libbrotlidec.so.1 libnghttp3.so.9 libnghttp2.so.14 libidn2.so.0 libssh2.so.1 libpsl.so.5 libgmodule-2.0.so.0 libmount.so.1 libbrotlicommon.so.1 libunistring.so.5 libblkid.so.1I don’t know why it links to a systemd library. Here are the runtime dependencies of rook:
linux-vdso.so.1 libresolv.so.2 libc.so.6 /lib64/ld-linux-x86-64.so.2Don’t get me wrong: KeePassXC is one of my favorite programs. But don’t leave it running all the time, and it can’t be run on headless systems.
I see, thanks for explaining. So IIUC, rook is intended for headless systems?
This is the answer.
I use syncthing to sync between devices.
don’t need to worry about Internet access at all.
For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.
this is what I do as well, along with file staging so if I corrupt it by accident I don’t lose the entire DB
Currently I have it on my server as grab only, and then normal access on my clients with staging
I don’t, specifically because I don’t trust myself to host that. I know what people will say here, but I trust 1pass way more than I could do it myself.
1pass uses your password plus a secret key to generate your full “password”, meaning you need both to access your vault. The password you memorize, the key you keep safe somewhere (inside the vault is even good, since you probably have it open on another device should you need it). They publish their docs, and show how they encrypt your vaults. To them, your vaults are truly just random bytes they store in blob storage. They don’t store your key, they don’t store your password, they will not help you out if you lock yourself out. That’s the level of security I want for a password vault. If they ever get breached, which hey, it can happen, the most someone will get is a random blob of data, which then I’d go and probably generate a new password and reencrypt everything again anyway.
Vs me hosting myself, I’m sure the code is good - but I don’t trust myself to host that data. There’s too many points of failure. I could set up encryption wrong, I could expose a bad port, if someone gained access to my network I don’t trust that they wouldn’t find some way to access my vaults. It’s just too likely I have a bad config somewhere that would open everything up. Plus then it’s on me to upgrade immediately if there’s a zero day, something I’m more likely to miss.
I know, on the selfhosted community this is heresy, but this is the one thing I don’t self host, I leave it to true security researchers.
deleted by creator
Another great point, if I lose my Linux isos, sucks but I’ll redownload. If I lose my family videos, sucks but I’ll log into my backups and resync. If I lose my credentials I’m fucked. Plain fucked. I can’t decrypt my backups, can’t log into services, it’s done.
Thats why ones password DB should also be saved encrypted one one or two external drives.
Not everyone has a safety deposit box, or the ability to access a proper and secure off-site storage.
And if you’re just keeping those in your house, then fire, flood, and other incidents can destroy all copies at once.
Nah, I’m with you, except I use BitWarden.
There are somethings either worth paying someone else to host, or where you trust a 3rd party more than you’re own setup. I realize other users may feel different, but ultimately it’s a judgement call
BW has been a pretty great opensource company, and it’s worth my $10/yr for premium.
Wow, Bitwarden has made leaps and bounds on catching up to 1password on dev tools and enterprise features the last few years. I’m going to need to re-evaluate/consider moving over.
As a side note, if you work somewhere that uses 1password, you can usually get your personal subscription comped as an individual. Only need to pay for it if you leave your company or they drop 1password.
I dont know that I’ll stay on 1password forever, but on the scale of things I’m most concerned about self-hosting vs using a reasonably private SaaS, 1password is nowhere near the top of my list to ditch. Otherwise, its a solid recommendation for non-self hosters who want to make some progress.
vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.
Fully agreed.
Accessing Vaultwarden through a VPN gives me peace of mind that it can’t be attacked.
Another great thing about Bitwarden is that it’s possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.
Accessing Vaultwarden through a VPN
Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.
Vaultwarden is one of the few services I’d actually trust to be secure, so I wouldn’t worry if you update timely to new versions.
I hope it gets security audited one day, like Bitwarden was.
Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.
Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.
They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).
That’s a good point. I didn’t consider the fact that all the encryption is done client-side, so that’s the most important part to audit (which Bitwarden has already done).
A VPN? you still need a reverse proxy/domain to use it don’t you?
Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.
The domain points to a local IP, so I can’t access it without the VPN.
Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.
DNS challenge? It is the 1st time I read about it.
I suppose in your LAN you need no VPNs then?
Yes.
You can forward a Wireguard port, exposing it to the internet.
I self host Bitwarden and it’s free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.
I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don’t care as much about them as you do!
If you’re going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.
You only have to pay for a license if you need multiple users or want to use their cloud services, I believe.
AFAIK you can have multiple users for free when self-hosting, and the features are essentially the same as the free hosted version. You need to pay if you want to get the premium features or share passwords across multiple users using an organization. Essentially the pricing is the same as the hosted version.
I’d recommend Vaultwarden for a small-scale self-hosted solution. It’s not Bitwarden, but it’s fully API-compatible so you can use all the Bitwarden clients and browser extensions. Self-hosted Bitwarden is quite a bit heavier than Vaultwarden since it’s designed for large-scale usage (like for an entire company of tens of thousands of people)
Thanks that’s a helpful reply
I’m self-hosting a VaultWarden install, and I’m doing it because uh, well, at this point I’ve basically ended up hosting every service I use online at this point.
Though, for most people, there’s probably no real reason to self-host their own password manager, though please stop using Lastpass because they’ve shown that they’re utterly incompetent repeatedly at this point.
Yeah I will likely move away.
My understanding with lastpass was that they had a breach but only encrypted data was stolen? What did I miss?
It was, IIRC, 3 separate breaches, plus a situation where the default KDF iterations on the vault was set to low as to actually make said encrypted data crackable.
The last I don’t really blame them for necessarily, but rather shows that they weren’t paying any attention to what their platform would actually protect against and what the threat landscape was and thus they never increased it and worse, when they did, they didn’t force older vaults to increase it because it would be mildly inconvenient to users.
Basically, just a poor showing of data stewardship and if there’s ONE thing you want your password manager to be good at, it’s that.
Yeah that tracks, tbh I had set mine higher so wasn’t an issue for me - but their UX, particularly on Android, is appalling.
Just curious, how do you host it? Do you have it containerized or no?
Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.
I self-host stuff because I can, because I learn something while doing it and it gives me control. And I’m running that server anyways, so I might as well install one more service on it. If you don’t want to spend your time managing and maintaining servers and services, go for the official (paid) service. That’ll do, too.
If you’re worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won’t get synced until the server is reachable again.
Thanks, I did consider the syncing would be fine. But if the reason to do it is just hobbying then I’ll pass, I have too many hobbies at this point and managing what I’m already hosting is giving me enough of a scratch for that itch
I run vaultwarden in a docker container and I can’t say I’ve touched it since then. Its as much maintenance as all the other services I run. Reboot the server quarterly to make sure patches are applied. Docker containers patch nightly.
Sure. I think there are some areas where self-hosting is kinda mandatory because other solutions don’t fulfill my requirements. But I don’t think a password manager is part of that. It stores the passwords encrypted in the cloud anyways, $0-$10 a year isn’t much and I think Bitwarden has a good track record and you’ll be supporting them. Self-hosting is a nice hobby and I think integral part of a free and democratic culture on the internet. But it doesn’t have to be every tiny tool and everyone. Do it if you like, otherwise it’s fine if you support open source projects by paying a fair price if you want convenience and they offer a good hosted service.
Appreciate the input - that’s exactly where my heads at right now. Didn’t expect so many answers - really glad I asked, been very interesting reading different folks views on this.
Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.
Yes. It has been a while since I moved (whenever the first breach was), but I exported from lastpass and imported to Bitwarden with minimal issue, I think I had to add a column.
I still just use :X with vim on a server I can ssh to.
I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.
If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.
Bitwarden’s free version is enough for my purposes, but I didn’t realize they had a $10/yr plan. That seems worth paying for, I’ll have to look into it.
I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.
If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.
Do you recall the rational for 1password?
I can imagine the enterprise/business options are better than bitwarden but as an individual user I don’t need that and would only have the individual plan. It’s a little over twice the price of BitWarden and while every company I’ve worked at in recent years has had 1password i don’t see it mentioned on here anywhere near as often as BitWarden.
I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.
LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.
- Because I don’t trust companies to hold onto passwords.
- It syncs. I don’t need live access to my home.
I’m on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn’t setup as well as it could be for mission critical software/uptime. I’m a hobbiest with limited time to spend on this hobby and I can’t spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don’t trust my own OS to be fully secure and I don’t trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I’ve seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don’t think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it’s true that you won’t be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who’s full time job is running those systems and keeping people that aren’t supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you’ve got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe… And mixed in with a lot of other data that’s likely higher priority to target.
