It never made sense to me to put password managers in the cloud. Regards to what you intend it to do, you’re making it accessible to a wider audience than necessary. And yet, I’m using iCloud. It’s time for a change.
I’m thinking of just running a locally hosted password manager on my home server and letting my devices sync with it somehow when I’m at home. I have a VPN into my home network when I’m away that automatically triggers when I leave the house, so even that’s not that big an issue, but I’m really not familiar with what’s gonna cleanly integrate with all my stuff and be easy to use. All I know is I wanna kill the cloud functionality of my setup.
I already have a jellyfish server so I figured I would just throw this onto that. Any suggestions?
You must log in or # to comment.
Bitwarden/vaultwarden is a popular option for selfhosters.
I do this. Plus VPN to have access to passwords when away from home network
What’s the issue of exposing this one to the internet? Even if the database gets leaked somehow, your passwords are still protected by a hopefully strong master password + strong encryption
I guess it’s due to unnecessary risk and lazyness of not wanting to get a domain for TLS. Mostly the unnecessary risk, like why expose it when I don’t have to.
Because it lets you sync your passwords anytime, without having to connect to the VPN first, which saves time. And the risk of data leak is not really there since the passwords are encrypted by a strong master password anyways. With Vaultwarden, you can host your database even publicly and share it on Lemmy and nothing would happen, provided you use a strong master password, which you definitely should.
Why not use KeepassXC? It’s a completely local encrypted db but it integrates with cloud storage apps like nextcloud for sync. It has plugins for integration with Firefox and KeepassAndroid is pretty smooth on the current Android OS.
this one, OP. no need to introduce the horror that’s a:
- hosted app (why?!)
- client app is electron crapware
- the client app doesn’t even have full functionality, you have to use the web UI for some tasks
edit: I’m obviously speaking about the bitwarden/vaultwarden horror. keepassXC is none of them things.
KeepassXC is the only thing that makes sense to me.
I don’t want all my passwords stored with some huge target like lastpass or bitwarden.
Encrypted local (and synced) DB is the only way.
Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.
I switched to Bitwarden after the LastPass stuff a couple years ago, and I just got around to installing Vaultwarden on my TrueNAS system at home. Using a single Cloudflare Tunnel to handle secure external connections for that and other services like Emby easily. Took a little bit to setup following some guides, but has been working flawlessly for me and some friends. You can use the regular Bitwarden apps and extensions since they natively support self hosting.
just have 1 password for everything, problem solved.
I use KeePass (Keepass2Android, KeePassXC, OG KeePass, and KeePassium) for everything. Been using KeePass in general for 20-ish years.
Recently, I decided to export all of my passwords from Firefox, Chrome, and Edge, import the data into my KeePass database under their own folders, then delete everything from the browsers. That way I can move entries that weren’t already in the database to their respective locations in the database hierarchy, delete duplicates, and change insecure passwords.
The database is hosted on my phones (work and personal), laptop, gaming PC, and a server at home, all synced with Syncthing. My work laptop also has Portable KeePass that accesses the database via WebDAV to my server.
KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.
I look at it like this:
- I don’t absolutely trust the security of my server. Sure, it hasn’t had a breach…yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It’s secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo’d with only a couple that are linked.
- Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.
- Confirmation bias…I’ve been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.
While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it’s better to defer to more secure options when dealing with highly sensitive data.
Bitwarden is absolutely solid,yes.
Local server wise: If OP uses it in a local only setup behind a proper VPN implementation from my point of view the risk is acceptable. It’s not that hard to secure a home server in a way that Vaultwarden is not at risk - and when you’re so compromised that it is, then the attacker can easily use other vectors to gain the same data (RAt,keyloggers, etc.)
Is the data super important to you?
Let someone else host it.
Bitwarden in the cloud.Edit: Bitwarden paying the monthly/yearly fee to BW. I wasn’t implying trying to host it yourself in the cloud.
This. And to add to what other commenters have said, by using Bitwarden and paying for their Premium plan (very cheap, just $10/year), even if you don’t use all their features, you’re supporting a good project. It’s critical infrastructure, I think the price is more than fair.
Either way, you should always make periodic backups from any cloud service you use, encrypted of course.just $10/
monthyearYes! Oh my, I’m silly; that was precisely my point and I managed to mess it up 🙃
Thank you for the correction!
