Not sure I understand why you’d want to self host a password manager. Bitwarden has never been breached AFAIK. How is it better or safer to keep if self hosted?

  • ProbablePenguin@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Bitwarden has never been breached AFAIK

    Password managers are a HUGE target, and while I’m sure they do everything possible to prevent a breach from actually obtaining peoples passwords, vulnerabilities do happen.

    That’s why I think self hosted Bitwarden or KeePass with a file are the way to go.

  • Emiroda@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Regulatory requirements and management decisions.

    Oh, you thought self-hosting was only for hobbyists? 🫠

  • SamSausages@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Can be safer. Can be worse.

    A poorly configured self hosted vaultwarden can be a major security issue.

    A properly configured one is arguable safer than hosting with a 3rd party. Lastpass taught me that one.

    If you configure it to where it’s not exposed to the web, and only accessed through a VPN, like Tailscale. It can be quite robust.

    • RealmOfTibbles@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I think you may be forgetting that Bitwarden has a self hosted version, it’s just really not commonly used with subs audience. Mostly as until recently they didn’t have a unified deployment and most people only want one container so that plus cost means most don’t use it.

      • hdddanbrown@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I did not forget.

        OP is asking about the point of selfhosting either Vaultwarden or Bitwarden, versus using the Bitwarden website (not selfhosted).

  • usrdef@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    It’s good if you like self-hosting stuff.

    However, what I tell people is this:

    If you know jack about security and how to lock down a machine that is running Vaultwarden, then it’s useless. You should go with Bitwarden.

    If you’re looking to install it just to play around with, I would be very cautious about what you store there, unless you can lock the system down to where it’s not accessible by the outside internet and localized only to your network.

    And I have redundant backups in place in case one decides to fail, which are all encrypted with GPG and a few other measures.

    If you have it installed and not accessible to anyone else but you, it’s a fun project. I like using VW and BW.

    The other bonus would be no one is going to look to target you specifically unless you’re turned into a target.

    Whereas if BW were to be breached, it wouldn’t have anything to do with you.

    However, BW utilizes encryption, so even if they did somehow manage to get in, they can’t read your passwords.

    • Silencer306@alien.topB
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Alright, what minimal security do you need to lock down your vaultwarden? Wireguard, firewall, fail2ban? I’m trying to learn good security practices for my server

      • kevdogger@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Honestly just install wireguard on client and they use that to remote access the server when away from lan network

  • wryterra@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Personally I stick with Bitwarden because one thing I want to stay around if I nuke (accidentally, or deliberately) my homelab is my password manager!

    • tech2but1@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Whilst I have pretty much everything backed up where I can the only things that I have actually got 100% tried and tested recoverable is Hyper Backup (as it encrypts my B2 backup) and within that is my Vaultwarden backup. So even if my lab was destroyed tomorrow I could get to my B2 backup and recover the Vaultwarden backup and stand it up on any machine I could get access to.

      I am not very good at the local backup thing but I do also have an unencrypted backup that is run less regularly that I could easily grab the Vaultwarden files from.

      In addition to that the vault is accessible locally if it can’t communicate with the server anyway.

    • sevlonbhoi1@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      every device you use bitwarden has a local copy of all passwords. Even if you nuke your server, you still will have access to your passwords.

      The server is just use to sync changes. if there is no sync needed, you don’t need the server.

    • Vogete@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I agree. I trust Bitwarden more to host it than me. I can have too many things going wrong. With that being said, I do agree with the security implications with centralized Bitwarden, but I’d rather have that risk than to screw myself over due to my own incompetence.

      Someone a while ago mentioned on this sub: The best thing to host yourself is a password manager, and the worst thing to host yourself is a password manager.

      • wryterra@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’d rather have that risk than to screw myself over due to my own incompetence

        Yup, that’s my reasoning too :D

    • Key-Negotiation-9069@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It’s incredibly easy to backup vaultwarden. I copy my vault to a second hard drive weekly.

      I got lucky and have a close friend that self hosts so we also encrypt and upload some of our backups to each other so that even if my whole lab went down and was unrecoverable I could still rebuild off the backups he stores. Basically we give each other about 1TB (without actual quotas, just based on honesty). So we are both able to store a large amount of backups, and if he wants more on my server he just needs to get me another hard drive, and same the other way around.

      I’ve heard of people who encrypt their backups and upload to Google, but to me this defeats the purpose of self hosting (and even if it didn’t I think Google would be the last service I uploaded backups to but to each their own). If your encryption is strong enough it is a decent option for people who don’t have another self hosted in their community like me.

  • charmstrong70@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Bitwarden has never been breached AFAIK.

    What you mean is it hasn’t been breached *yet*.

    All commercial password managers have a huge, fuck off, target on their backs

    Nobody is going to come after some random blokes self-hosted password manager to get access to their Sonarr (I’m trivialising to make the point) as long as if a similar effort would get them into Bitwarden.

    It’s the same principal as bears in the wood - nobody needs to outrun a bear, just your companion

    • Trashrascall@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      OK, thanks for the solid answer. I suppose the core of my question was that pretty much: is it just as secure AND a less likely target than bitwarden. That makes a lot of sense to me. I would probably still worry about the strength of the code , though. Do we know if/how it’s been audited?

      • charmstrong70@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        OK, thanks for the solid answer. I suppose the core of my question was that pretty much: is it just as secure AND a less likely target than bitwarden. That makes a lot of sense to me. I would probably still worry about the strength of the code , though. Do we know if/how it’s been audited?

        I mean, your best having a look at the official Git but, i’d say, access/visibility is the most important.

        Is it on your LAN/not open then even if it was less secure, it’d still be more secure if you know what I mean.

        I host mine on a VPS but it’s behind traefik with authelia (and 2FA). Plan is to get fail2ban setup over the next couple of evenings. SSH is cert only, probably going to change the port too but not sure if that’s really necessary. I’m comfortable exposing on that basis.

          • GeminiKoil@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            What is a tar pit do? Does it maintain logs of people trying to access or something? Sorry I’m not very knowledgeable about this.

            • DubDubz@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              It responds glacially slowly to login attempts, which means the bot trying to automatically break into random servers it crawls to gets stuck trying to login. Thus a tarpit.

      • macrowe777@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The code is as good as bitwardens, and even better, everyone can see the code to review it’s vulnerabilities and fix them.

        What is a major factor is you’re far less likely to be of interest to a hacker. So whilst crunching numbers to crack bitwarden encryption may make some sense…it makes absolutely zero sense to spend that time to hack mine.

        • Trashrascall@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah it sounds pretty appealing. I think I’ll make the switch when my bitwarden sub runs out

        • cryptobots@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Have there been audits if vaultearden code? Or comparison with bitwarden code? Otherwise I am curious on what do you base that code is as good as bitwarden?

  • devcircus@alien.top
    cake
    B
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    For me, I just enjoy selfhosting things that I can. In addition to vault warden, I have about 30 other services. Some rarely used, but I’ve learned so much about creating, maintaining, updating, and hardening servers; how containers work, vms, networking, etc.

    If selfhosting isn’t enjoyable for you or you don’t have time for the upkeep, or if you’re satisfied with bitwarden in the cloud, stick with it. They have a great service and it does seem to be a bit safer than some of the other services. Personally, I like the work that ProtonVPN is doing. They have a password manager that is still in the early stages but has a lot of promise.

  • AnyNameFreeGiveIt@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Vaultwarden is a single container that uses like 20mb of memory, official bitwarden comes with multiple containers and 2-3GB memory last time I used it.

    Also vaultwarden comes with all premium features especially 2fa without having to pay for it.

    You should not be forced to pay for essential security features…

  • zfa@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I don’t self host anything where it would impact me unduly if it went down while I was on holiday to the point where I’d have to break state and fix stuff.

    A password manager falls in that camp so it’s paid-for Bitwarden every night every day every possible way for me.

    Sure Vaultwarden suits others - generally those who either want control of their data, smaller target on their back than a public instance user, watching their pennies etc.

  • Croatwink@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    A lot of people prefer to take their security in their own hands. Enough people to make and maintain forks like these.

  • KN4MKB@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The web version is most definitely safer. Most of the people here probably don’t penetration test their servers, conduct security audits or use best practices. Unless you are a cyber security guru on par with a dedicated team, the web version will be much safer for you.

  • Zeal514@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    A few reasons.

    1. Privacy, you control your data. It doesn’t go to someone else’s server to sit.

    2. Security. It’s on your server. Password managers are primarily targets for hackers, i don’t want to name names, cause I’m not 100% sure of the name. But, one pw manager was hacked like 3x in the past year or something. It’s on your server, you are less likely to be targeted for a huge data breach, and you get to manage your data. Not someone else who fucks up.

    3. You can’t be banned, or have the provider suddenly change access to the server, thus losing your data. I will name names here. MyQ garage door opener by Chamberlain suddenly removed the smart home integration, since the whole system ran on their servers. Removing the functionality users paid for. But they don’t own it, so they just got fucked. Your data/service on someone else’s server, is actually their data/service, you are just a visitor.

  • FunnyPocketBook@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I literally just had the exact opposite question! I’ve been wondering why you’d want to pay for a password manager service when you could self host it. The only reason I could think of is guaranteed high uptime, but to me (and at least in my personal use case) that seems a bit pointless, since you can have a copy of your password manager on each device, which is being synced through your server