135
Why self host a password manager? (programming.dev)
submitted 1 day ago by el_abuelo@programming.dev to c/selfhosted@lemmy.world
142 comments fedilink hide all child comments

I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.

top 50 comments
sorted by: hot top controversial new old
[-] ColonelThirtyTwo@lemmy.world 3 points 1 hour ago* (last edited 1 hour ago)

I use a KeePassXC database on a syncthing share and haven't had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.

One benefit to hosted password vaults over files is that they can use 2FA - you can't exactly do TOTP with a static file.

(As an aside, I wish more "self hosted" apps were instead "local file and sync friendly" apps instead, exactly because of offline access)

[-] BCsven@lemmy.ca 1 points 1 hour ago

Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication

[-] hubobes@sh.itjust.works 6 points 5 hours ago* (last edited 5 hours ago)

If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.

[-] Appoxo@lemmy.dbzer0.com 4 points 4 hours ago

Regarding benefits for the paid tier (which I use as a sort of donation):

  1. it's literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
  2. What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)

Regarding self-hosting:
I decided against it.

  1. Too much important stuff in there (+400 accounts)
  2. Too much stuff in there I would need to back up and keep safe. Not in the mood.
  3. Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
[-] HamSwagwich@showeq.com 3 points 4 hours ago

I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.

The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"

[-] nemno@lemmy.world 1 points 3 hours ago

Im curious what makes it better than 1pass? Ive used a few of these, and my experience with 1pass was probably the best. Well, except for the price..

[-] Appoxo@lemmy.dbzer0.com 2 points 4 hours ago

Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can't restore it even if you pay them a million €

[-] HamSwagwich@showeq.com 2 points 3 hours ago

That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that's on you, your data is a high priority target in a centralized password store... if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it's kind of a six of one, half dozen of the other.

[-] Appoxo@lemmy.dbzer0.com 1 points 2 hours ago

Fair points.
Considering bitwarden is zero knowledge the data in itself is for now 'safe' enough to me.
Though I could be subject to IP/vulnerability scans on my home connection or accidentaly forwarding stuff that puts the security at risk and getting compromised (Seriously...The stuff I could connect and control via VNC I found on shodan was very creepy and frightening).
Nah mate. Plus maintaining the data I already have is enough for me. Bitwarden would be way too much. But maybe in the future once I figure Linux and docker more out :)

[-] electric_nan@lemmy.ml 8 points 6 hours ago

Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)

[-] Jomn@jlai.lu 2 points 2 hours ago

Yeah. I use KeepassXC on my computers and KeepassDX on my phone. All synced with syncthing and it works great.

[-] Appoxo@lemmy.dbzer0.com 2 points 4 hours ago

Bitwarden also syncs a local copy to every device it connects to.

[-] Ascrod@midwest.social 2 points 6 hours ago

This is the way. It's also one of the simplest self-hosted setups you can have. Highly recommend it.

[-] jjlinux@lemmy.ml 4 points 6 hours ago

I selfhost vault warden, and in all honesty, it's just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.

The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it's fully featured and super easy to deploy the server, ridiculously so.

Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I'd suggest to take the second option, for 2 reasons:

1.- it's even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive

[-] KairuByte@lemmy.dbzer0.com 6 points 8 hours ago

I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.

[-] y0kai@lemmy.dbzer0.com 2 points 7 hours ago

Could one not theoretically self-host a PW manager that also keeps a local copy of the database for times with no internet?

Idk if that doesn't exist yet or what, and there are plenty of other reasons against self-hosting a PW manager but that seems like a logical work-around for that particular problem. Keep your access when the internet is down, and keep your data out of third party control.

[-] KairuByte@lemmy.dbzer0.com 1 points 1 hour ago

Absolutely, in fact I’d be willing to bet vaultwarden does just that. That’s a good point.

[-] yonder@sh.itjust.works 5 points 6 hours ago

Bitwarden does exactly that. It will mostly work with no server connection.

[-] possiblylinux127@lemmy.zip 6 points 8 hours ago

I use KeepassXC

[-] MajorasMaskForever@lemmy.world 2 points 7 hours ago

I've used cloud based services for password managers for work and "self host" my personal stuff. I barely consider it self hosting since I use Keepass and on every machine it's configured to keep a local cached copy of the database but primarily to pull from the database file on my in-home NAS.

Two issues I've had:

Logging into an account on a device currently not on my home network is brutal. I often resort to simply viewing the needed password and painstakingly type it in (and I run with loooooong passwords)

If I add or change a password on a desktop and don't sync my phone before I leave, I get locked out of accounts. Two years rocking this setup it's happened three times, twice I just said meh I don't really need to do this now, a third time I went through account recovery and set a new password from my phone.

Minor complaint:

Sometimes Keepass2Android gets stuck trying to open the remote database and I have to let it sit and timeout (5 minutes!!!) which gets really annoying but happens very infrequently which is why I say just minor complaint

All in all, I find the inconvenience of doing the personal setup so low that to me even a $10 annual subscription is not worth it

[-] lud@lemm.ee 2 points 6 hours ago

Consider shortening your passwords. Random passwords longer than 20 characters is a complete waste of time.

[-] MajorasMaskForever@lemmy.world 1 points 6 hours ago* (last edited 5 hours ago)

To me 16 is long haha.

I usually end up running with 16 characters since a lot of services reject longer than 20 and as a programmer I just like it when things are a power of two. Back in the Dark Times of remembering passwords my longest was 13 characters so when I started using a password manager setting them that long felt wild to me.

I do have my bank accounts under a 64 character password purely because monkey brain like seeing big security rating in keepass. Entropy go brrrrrrrrrrrr

[-] lud@lemm.ee 1 points 4 hours ago

Haha, yeah 16 is actually pretty long.

I guess I'm just used to being forced 16 characters long passwords at long.

[-] el_abuelo@programming.dev 2 points 6 hours ago

Appreciate your perspective thanks for sharing.

[-] speeding_slug@feddit.nl 1 points 6 hours ago

I run a similar setup, but with syncthing as the syncing system. Every time I connect the phone to the charger it just syncs the database and I can even sync it outside the home network. Works like a charm. Worst case you get a sync conflict which is easy to solve.

[-] NonDollarCurrency@monero.town 1 points 6 hours ago

The way I get around the syncing issue is to set my syncthing to sync when my phone is charging so it's very unlikely to not be in sync, or if I change a password on the PC I'll plug my phone into a USB and it syncs straight away.

I also use KeepassDX on Android and never have those issues.

[-] synapse1278@lemmy.world 10 points 11 hours ago

I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it's easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.

Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.

[-] axum@lemmy.blahaj.zone 4 points 9 hours ago

You'll learn pretty quickly that a large chunk of self-hosting people are the types that are just terrified of having things be outside their control, which by extension means they are terrified of other people that aren't them running infrastructure. 🫠

[-] k_rol@lemmy.ca 4 points 7 hours ago

True but also free service and fun to play with.

[-] yonder@sh.itjust.works 1 points 6 hours ago

The learning aspect is the big one for me. If you need a reliable service with no time spent learning or troubleshooting, you're probably better using a paid service.

[-] yonder@sh.itjust.works 1 points 6 hours ago

But also, there are significant potential savings and advantages for data storage at home.

[-] Appoxo@lemmy.dbzer0.com 1 points 4 hours ago

And at 10€ per year I'll gladly pay that. Now if it was 10€ per month and almost bi-yearly increasing, because why not, I'd quickly reconsider taking the risk and responsibility of self-hosting the door to my internet- and reallife existence.
I store everything in there. Banking, health, shopping, etc etc. Not worth it exposing it without knowing how much I expose.
The things I currently expose are relatively low-risk.

load more comments
view more: next ›
this post was submitted on 08 Oct 2024
135 points (95.9% liked)

Selfhosted

39546 readers
511 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz