this post was submitted on 08 Oct 2024
166 points (96.6% liked)

Selfhosted

40359 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 123 points 1 month ago (4 children)

Because when whatever company gets a data breach I don't want my data in the list.

With bitwarden If your server goes down then all your devices still have a local copy of your database you just can't add new passwords until the server is back up.

[–] [email protected] 20 points 1 month ago* (last edited 1 month ago)

Pretty much this. Combined with how easy it is to install VaultWarden (docker ftw), it was a no brainer for me.

Also, my little home server is a WAY less juicy target for someone looking to steal and sell a bunch of passwords.

Been running it for probably about 2 years now. No ISP outages but a couple self-inflicted ones. Didn't even notice the outages in the BitWarden app/extension.

[–] [email protected] 7 points 1 month ago (2 children)

This was also the most compelling reason for me to consider it.

I do think that balanced against the time and effort and risk of me fucking up outweighs this benefit. But I can totally see why for some that balance goes the other way.

[–] [email protected] 6 points 1 month ago

I think the main thing for not messing it up is just make sure you keep it updated. Probably set up auto updates and auto backups.

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago)

More than any other piece of self-hosted software: backups are important if you're going to host a password manager.

I have Borg automatically backing up most of the data on my server, but around once every 3 months or so, I take a backup of Vaultwardens data and put it on an external drive.

As long as you can keep up with that, or a similar process; there's little concern to me about screwing things up. I'm constantly making tweaks and changes to my server setup, but, should I royally fuck up and say, corrupt all my data somehow: I've got a separate backup of the absolutely critical stuff and can easily rebuild.

But, even with the server destroyed and all backups lost, as long as you still have a device that's previously logged into your password manager; you can unlock it and export the passwords to manually recover.

[–] [email protected] 3 points 1 month ago (1 children)

1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

You are more likely to screw up your own backups and hosting security than they are.

[–] [email protected] 14 points 1 month ago* (last edited 1 month ago) (1 children)

LastPass said the exact same thing. I won't be a big target like they will though.

[–] [email protected] 4 points 1 month ago

LastPass doesn’t have your password, so it can’t be stolen during a breach.

But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.

https://support.1password.com/secret-key-security/

Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.

For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.

[–] [email protected] 1 points 1 month ago

Ok, but this doesn't explain why you would choose to self-host VaultWarden rather than using BitWarden.