this post was submitted on 08 Oct 2024
165 points (96.6% liked)

Selfhosted

40359 readers
348 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] Dark_Arc@social.packetloss.gg 4 points 1 month ago (1 children)

I recommend against hosting a password manager yourself.

The main reason is self hosted systems require maintenance to patch vulnerabilities. While it's true that you won't be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).

Using professional hosting means just that, professional hosting with people who's full time job is running those systems and keeping people that aren't supposed to be there out.

Plus, you always have the encryption of the binary blob itself to fall back on (which if you've got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe... And mixed in with a lot of other data that's likely higher priority to target.

load more comments (1 replies)
[–] HamSwagwich@showeq.com 4 points 1 month ago (2 children)

I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.

The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"

[–] Appoxo@lemmy.dbzer0.com 2 points 1 month ago (1 children)

Bitwarden does external audits with reports and stores in zero knowledge storage.
Loose your master password and you are fucked. They can't restore it even if you pay them a million €

[–] HamSwagwich@showeq.com 2 points 1 month ago (1 children)

That was basically the same claim LP made. Even if true, if you have a bad master password, you can be compromised. While yes, that's on you, your data is a high priority target in a centralized password store... if you host it yourself, someone would first have to know you had that data to even target you for that. Much less exposure hosting it yourself. The convenience factor and potentially less security than a company hosting passwords have, so it's kind of a six of one, half dozen of the other.

load more comments (1 replies)
load more comments (1 replies)
[–] KarnaSubarna@lemmy.ml 4 points 1 month ago

I access my Vaultwarden server via Cloudflared tunnel while I'm away from home network.

[–] recursive_recursion@lemmy.ca 3 points 1 month ago

you become fully in charge of your passwords instead of relying on someone else

TL;DR:

  • you do it to gain more independence and self-reliance
[–] WMTYRO@lemmy.world 3 points 1 month ago (1 children)

Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.

load more comments (1 replies)
[–] astrsk@fedia.io 3 points 1 month ago

I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.

If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.

[–] hendrik@palaver.p3x.de 3 points 1 month ago* (last edited 1 month ago) (1 children)

Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.

I self-host stuff because I can, because I learn something while doing it and it gives me control. And I'm running that server anyways, so I might as well install one more service on it. If you don't want to spend your time managing and maintaining servers and services, go for the official (paid) service. That'll do, too.

If you're worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won't get synced until the server is reachable again.

[–] el_abuelo@programming.dev 3 points 1 month ago (2 children)

Thanks, I did consider the syncing would be fine. But if the reason to do it is just hobbying then I'll pass, I have too many hobbies at this point and managing what I'm already hosting is giving me enough of a scratch for that itch

[–] superglue@lemmy.dbzer0.com 3 points 1 month ago

I run vaultwarden in a docker container and I can't say I've touched it since then. Its as much maintenance as all the other services I run. Reboot the server quarterly to make sure patches are applied. Docker containers patch nightly.

[–] hendrik@palaver.p3x.de 2 points 1 month ago* (last edited 1 month ago) (1 children)

Sure. I think there are some areas where self-hosting is kinda mandatory because other solutions don't fulfill my requirements. But I don't think a password manager is part of that. It stores the passwords encrypted in the cloud anyways, $0-$10 a year isn't much and I think Bitwarden has a good track record and you'll be supporting them. Self-hosting is a nice hobby and I think integral part of a free and democratic culture on the internet. But it doesn't have to be every tiny tool and everyone. Do it if you like, otherwise it's fine if you support open source projects by paying a fair price if you want convenience and they offer a good hosted service.

[–] el_abuelo@programming.dev 2 points 1 month ago

Appreciate the input - that's exactly where my heads at right now. Didn't expect so many answers - really glad I asked, been very interesting reading different folks views on this.

[–] dan@upvote.au 2 points 1 month ago

I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I'm not running anything of critical importance on it.

[–] korthrun@lemmy.sdf.org 2 points 1 month ago (1 children)

Why not a piece of hardware instead of self hosting, cloud hosting, etc?

[–] el_abuelo@programming.dev 2 points 1 month ago (4 children)
load more comments (4 replies)
[–] MajorasMaskForever@lemmy.world 2 points 1 month ago (4 children)

I've used cloud based services for password managers for work and "self host" my personal stuff. I barely consider it self hosting since I use Keepass and on every machine it's configured to keep a local cached copy of the database but primarily to pull from the database file on my in-home NAS.

Two issues I've had:

Logging into an account on a device currently not on my home network is brutal. I often resort to simply viewing the needed password and painstakingly type it in (and I run with loooooong passwords)

If I add or change a password on a desktop and don't sync my phone before I leave, I get locked out of accounts. Two years rocking this setup it's happened three times, twice I just said meh I don't really need to do this now, a third time I went through account recovery and set a new password from my phone.

Minor complaint:

Sometimes Keepass2Android gets stuck trying to open the remote database and I have to let it sit and timeout (5 minutes!!!) which gets really annoying but happens very infrequently which is why I say just minor complaint

All in all, I find the inconvenience of doing the personal setup so low that to me even a $10 annual subscription is not worth it

[–] el_abuelo@programming.dev 2 points 1 month ago

Appreciate your perspective thanks for sharing.

[–] lud@lemm.ee 2 points 1 month ago (2 children)

Consider shortening your passwords. Random passwords longer than 20 characters is a complete waste of time.

load more comments (2 replies)
load more comments (2 replies)
load more comments
view more: ‹ prev next ›