I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • april@lemmy.world
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    1
    ·
    22 days ago

    Because when whatever company gets a data breach I don’t want my data in the list.

    With bitwarden If your server goes down then all your devices still have a local copy of your database you just can’t add new passwords until the server is back up.

    • slackj_87@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      22 days ago

      Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.

      Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.

      Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn’t even notice the outages in the BitWarden app/extension.

    • el_abuelo@programming.devOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      22 days ago

      This was also the most compelling reason for me to consider it.

      I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.

      • april@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        21 days ago

        I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.

    • markstos@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      21 days ago

      1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

      You are more likely to screw up your own backups and hosting security than they are.

      • april@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        21 days ago

        LastPass said the exact same thing. I won’t be a big target like they will though.

        • markstos@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          21 days ago

          LastPass doesn’t have your password, so it can’t be stolen during a breach.

          But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.

          https://support.1password.com/secret-key-security/

          Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.

          For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.

  • mbirth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    6
    ·
    21 days ago

    After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.

    And I have the encrypted database in multiple places should one go tits up.

  • Synapse@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    21 days ago

    I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it’s easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.

    Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.

  • ColonelThirtyTwo@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    21 days ago

    I use a KeePassXC database on a syncthing share and haven’t had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.

    One benefit to hosted password vaults over files is that they can use 2FA - you can’t exactly do TOTP with a static file.

    (As an aside, I wish more “self hosted” apps were instead “local file and sync friendly” apps instead, exactly because of offline access)

  • BioMyth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    21 days ago

    I’m on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.

    Commitment: I know my server OS isn’t setup as well as it could be for mission critical software/uptime. I’m a hobbiest with limited time to spend on this hobby and I can’t spend 100hrs getting it all right.

    Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.

    So I don’t trust my own OS to be fully secure and I don’t trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.

    I’ve seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.

    All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don’t think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.

  • electric_nan@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    21 days ago

    Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)

  • CarbonatedPastaSauce@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    22 days ago

    I self host Bitwarden and it’s free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.

    I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don’t care as much about them as you do!

    If you’re going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.

  • markstos@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    21 days ago

    I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.

    If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.

    • el_abuelo@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      21 days ago

      Do you recall the rational for 1password?

      I can imagine the enterprise/business options are better than bitwarden but as an individual user I don’t need that and would only have the individual plan. It’s a little over twice the price of BitWarden and while every company I’ve worked at in recent years has had 1password i don’t see it mentioned on here anywhere near as often as BitWarden.

      • markstos@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        21 days ago

        I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.

        LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.

  • sibannac@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    20 days ago

    I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it’s free and I know enough to troubleshoot any problems.

  • Karna@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    21 days ago

    I access my Vaultwarden server via Cloudflared tunnel while I’m away from home network.

  • Darorad@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    20 days ago

    If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you’d still have access to all the accounts you’re saving in it.

  • youmaynotknow@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    21 days ago

    I selfhost vault warden, and in all honesty, it’s just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.

    The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it’s fully featured and super easy to deploy the server, ridiculously so.

    Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I’d suggest to take the second option, for 2 reasons:

    1.- it’s even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive

  • WMTYRO@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    21 days ago

    Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.

  • MajorasMaskForever@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    21 days ago

    I’ve used cloud based services for password managers for work and “self host” my personal stuff. I barely consider it self hosting since I use Keepass and on every machine it’s configured to keep a local cached copy of the database but primarily to pull from the database file on my in-home NAS.

    Two issues I’ve had:

    Logging into an account on a device currently not on my home network is brutal. I often resort to simply viewing the needed password and painstakingly type it in (and I run with loooooong passwords)

    If I add or change a password on a desktop and don’t sync my phone before I leave, I get locked out of accounts. Two years rocking this setup it’s happened three times, twice I just said meh I don’t really need to do this now, a third time I went through account recovery and set a new password from my phone.

    Minor complaint:

    Sometimes Keepass2Android gets stuck trying to open the remote database and I have to let it sit and timeout (5 minutes!!!) which gets really annoying but happens very infrequently which is why I say just minor complaint

    All in all, I find the inconvenience of doing the personal setup so low that to me even a $10 annual subscription is not worth it