I’m going to move away from lastpass because the user experience is pretty removeding removed. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.
My questions are to those of you who self-host, firstly: why?
And how do you mitigate the risk of your internet going down at home and blocking your access while away?
BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.
I’m on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.
Commitment: I know my server OS isn’t setup as well as it could be for mission critical software/uptime. I’m a hobbiest with limited time to spend on this hobby and I can’t spend 100hrs getting it all right.
Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.
So I don’t trust my own OS to be fully secure and I don’t trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.
I’ve seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.
All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don’t think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.