I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • SK
    link
    fedilink
    332 months ago

    vaultwarden syncs your passwords locally so even if your server is down the passwords remain available on your device. And it is a wonderful password manager, you can share passwords with your family, have TOTPs, passkeys.

    • Chewy
      link
      fedilink
      English
      92 months ago

      Fully agreed.

      Accessing Vaultwarden through a VPN gives me peace of mind that it can’t be attacked.

      Another great thing about Bitwarden is that it’s possible to export locally cached passwords to (encrypted) json/csv. This makes recovery possible even if all backups were gone.

      • kratoz29
        link
        fedilink
        English
        12 months ago

        A VPN? you still need a reverse proxy/domain to use it don’t you?

        • qaz
          link
          fedilink
          English
          42 months ago

          You can forward a Wireguard port, exposing it to the internet.

          • kratoz29
            link
            fedilink
            English
            11 month ago

            Hmm, interesting, how would I start doing this?

            I use a Synology NAS BTW, so it already gives me a Synology subdomain to mess around.

        • Chewy
          link
          fedilink
          English
          42 months ago

          Yes, Bitwarden browser plugins require TLS, so I use DNS challenge to get a cert without an open port 80/443.

          The domain points to a local IP, so I can’t access it without the VPN.

          Having everything behind a reverse proxy makes it much easier to know which services are open, and I only need to open port 80/443 on my servers firewall.

          • kratoz29
            link
            fedilink
            English
            21 month ago

            DNS challenge? It is the 1st time I read about it.

            I suppose in your LAN you need no VPNs then?

      • @dan@upvote.au
        link
        fedilink
        English
        1
        edit-2
        2 months ago

        Accessing Vaultwarden through a VPN

        Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.

        • Chewy
          link
          fedilink
          English
          22 months ago

          Vaultwarden is one of the few services I’d actually trust to be secure, so I wouldn’t worry if you update timely to new versions.

            • Chewy
              link
              fedilink
              English
              22 months ago

              Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.

              Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.

              They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).

              • @dan@upvote.au
                link
                fedilink
                English
                22 months ago

                That’s a good point. I didn’t consider the fact that all the encryption is done client-side, so that’s the most important part to audit (which Bitwarden has already done).

        • @k4j8@lemmy.world
          link
          fedilink
          English
          12 months ago

          I have my Vaultwarden public so I can use it at work too, but my firewall blocks all external IPs except my work’s IP.