Why self host a password manager?
Why self host a password manager?
I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.
I'm self-hosting a VaultWarden install, and I'm doing it because uh, well, at this point I've basically ended up hosting every service I use online at this point.
Though, for most people, there's probably no real reason to self-host their own password manager, though please stop using Lastpass because they've shown that they're utterly incompetent repeatedly at this point.
Password management is the one thing i don't plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don't want to also fuck around with account recovery for my entire digital existence.
Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.
I use KeePassXC its free works on what I use. The encrypted list of passwords is synced with my phone twice a day with Syncthing. Chrome had a fit with the android app to I switched to Firefox after. I selfhost it because it's free and I know enough to troubleshoot any problems.
My approach to this is as follows:
- the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
- Loss of control of this data would be catastrophic, so I took its security very seriously.
- No one company can be trusted with our data, because they all get hacked or make mistakes at some point.
I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.
I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.
If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.
Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.
Cheers.
After trying them all, I’m back at having a local KeePass database that is synced to all my devices via iCloud and SyncThing. There are various apps to work with KeePass databases and e.g. Strongbox on macOS and iOS integrates deeply into Apple’s autofill API so that it feels and behaves natively instead of needing some browser extension. KeePass DX is available for all other platforms, and there are lots of libraries for various programming languages so that you can even script stuff yourself if you want.
And I have the encrypted database in multiple places should one go tits up.
I use a KeePassXC database on a syncthing share and haven't had any issues. You get synchronization and offline access, and even if there are sync conflicts, the app can merge the two files.
One benefit to hosted password vaults over files is that they can use 2FA - you can't exactly do TOTP with a static file.
(As an aside, I wish more "self hosted" apps were instead "local file and sync friendly" apps instead, exactly because of offline access)
I don't, specifically because I don't trust myself to host that. I know what people will say here, but I trust 1pass way more than I could do it myself.
1pass uses your password plus a secret key to generate your full "password", meaning you need both to access your vault. The password you memorize, the key you keep safe somewhere (inside the vault is even good, since you probably have it open on another device should you need it). They publish their docs, and show how they encrypt your vaults. To them, your vaults are truly just random bytes they store in blob storage. They don't store your key, they don't store your password, they will not help you out if you lock yourself out. That's the level of security I want for a password vault. If they ever get breached, which hey, it can happen, the most someone will get is a random blob of data, which then I'd go and probably generate a new password and reencrypt everything again anyway.
Vs me hosting myself, I'm sure the code is good - but I don't trust myself to host that data. There's too many points of failure. I could set up encryption wrong, I could expose a bad port, if someone gained access to my network I don't trust that they wouldn't find some way to access my vaults. It's just too likely I have a bad config somewhere that would open everything up. Plus then it's on me to upgrade immediately if there's a zero day, something I'm more likely to miss.
I know, on the selfhosted community this is heresy, but this is the one thing I don't self host, I leave it to true security researchers.
- Because I don't trust companies to hold onto passwords.
- It syncs. I don't need live access to my home.
I'm on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn't setup as well as it could be for mission critical software/uptime. I'm a hobbiest with limited time to spend on this hobby and I can't spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don't trust my own OS to be fully secure and I don't trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I've seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don't think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.
I self-Host Vaultwarden at home, this way I have a convenient password manager for myself and my SO, it's easy to setup and maintain. East to access from the phone, Firefox, etc. Bitwarden app keeps a local cache so even when disconnected from the server I have access to my passwords and it will synchronize at the next connections. I otherwise have a Wireguard VPN setup in case I need to connect to my home server from outside my home.
Before I used KeePass+syncthing but it was to much configuration to convince my SO to use it. Bitwarden/Vaultwarden was more successful in that regard.
Keepass hosted on my Nextcloud server. You can have the database synced to however many devices you want, and each one will always have a local copy of the latest version. You can use whatever sync solution you want though: syncthing, Dropbox, google drive etc. I suggest using diceware to generate a strong master passphrase for the database :)
Regarding benefits for the paid tier (which I use as a sort of donation):
- it's literally on their page: https://bitwarden.com/help/password-manager-plans/#compare-personal-plans
- What I actually use: A bit of the encrypted upload, some 2FA generators for unimportant services (I prefer using another 2FA app with encrypted automated backups. Helps keeping things separate)
Regarding self-hosting:
I decided against it.- Too much important stuff in there (+400 accounts)
- Too much stuff in there I would need to back up and keep safe. Not in the mood.
- Not enough experience with hosting a database. If it would go belly-up I had no one except the internet to ask and figure it out myself. At best some selfhost forum/community.
I don’t understand it tbh. Password managers and email are the main things I avoid self hosting. Email because it’s just too easy to fuck something up and never realize you’re not actually properly sending/receiving email. And password managers because if I lose access to it, I’m kinda royally fucked. And the password managers I use keeps a local copy of your database that gets periodically updated, so even without internet I do still have access.
I use KeepassXC
Using vault warden because I read too much about errors in implementing or design in services like LastPass or (though encrypted) vaults being stolen.
Bit warden client on Android lets you sync (ie LAN) and then use it as a read only database while on the go without a connection.
I recently added tailscale and when I really need a service from home I just flick it on on my phone and I am good
Works like a charm.
I pay Bitwarden the tenner a year as I have no reason to distrust them and they're definitely providing a more reliable, securer service than I can self-host.
I also do an encrypted export once per week and store that export to an encrypted cloud based service and an encrypted USB stick. Takes 2 minutes.
If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.
I selfhost vault warden, and in all honesty, it's just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.
The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it's fully featured and super easy to deploy the server, ridiculously so.
Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I'd suggest to take the second option, for 2 reasons:
1.- it's even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive
I self host Bitwarden and it's free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.
I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don't care as much about them as you do!
If you're going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.
Bitwarden's free version is enough for my purposes, but I didn't realize they had a $10/yr plan. That seems worth paying for, I'll have to look into it.
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it's true that you won't be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who's full time job is running those systems and keeping people that aren't supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you've got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe... And mixed in with a lot of other data that's likely higher priority to target.
I access my Vaultwarden server via Cloudflared tunnel while I'm away from home network.
If you self host bitwarden/vaultwarden, each client stores an encrypted copy of the database, so even if your server was completely destroyed, you'd still have access to all the accounts you're saving in it.
you become fully in charge of your passwords instead of relying on someone else
TL;DR:
- you do it to gain more independence and self-reliance
I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.
If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.
Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.
I self-host stuff because I can, because I learn something while doing it and it gives me control. And I'm running that server anyways, so I might as well install one more service on it. If you don't want to spend your time managing and maintaining servers and services, go for the official (paid) service. That'll do, too.
If you're worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won't get synced until the server is reachable again.
Firefox has a built in password manager, it is stored on each machine you sync. But to anwer your question any cloud stored data is vulnerable, so be sure your password manager supports other verification measures such as Yubikey as another factor of authentication
I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I'm not running anything of critical importance on it.
Always self-host anything you can (reasonably).
In this case, don't self-host a password vault. Use a locally encrypted password storage app, and keep it in a self-hosted storage solution (which should also be encrypted).
People want to put too much shit online, opens you wide up for attempted hacking (especially if you use what everyone else uses).
I've used cloud based services for password managers for work and "self host" my personal stuff. I barely consider it self hosting since I use Keepass and on every machine it's configured to keep a local cached copy of the database but primarily to pull from the database file on my in-home NAS.
Two issues I've had:
Logging into an account on a device currently not on my home network is brutal. I often resort to simply viewing the needed password and painstakingly type it in (and I run with loooooong passwords)
If I add or change a password on a desktop and don't sync my phone before I leave, I get locked out of accounts. Two years rocking this setup it's happened three times, twice I just said meh I don't really need to do this now, a third time I went through account recovery and set a new password from my phone.
Minor complaint:
Sometimes Keepass2Android gets stuck trying to open the remote database and I have to let it sit and timeout (5 minutes!!!) which gets really annoying but happens very infrequently which is why I say just minor complaint
All in all, I find the inconvenience of doing the personal setup so low that to me even a $10 annual subscription is not worth it
I have bitwarden family SaaS. So I can share password with my group.
I still just use :X with vim on a server I can ssh to.