Why self host a password manager? - eviltoast

I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • wth@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    2 months ago

    My approach to this is as follows:

    • the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
    • Loss of control of this data would be catastrophic, so I took its security very seriously.
    • No one company can be trusted with our data, because they all get hacked or make mistakes at some point.

    I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.

    I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.

    If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.

    Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.

    Cheers.

    • 𝘋𝘪𝘳𝘬@lemmy.ml
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      2 months ago

      Loss of control of this data would be catastrophic, so I took its security very seriously.

      Ask yourself: “If my current system is unavailable: How screwed am I?”

      If the answer is anything less than “Not screwed at all!”, then it is time for a backup - regardless of what system you’re using or plan to use.

      • wth@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Fair comment, although due to the distributed nature of our implementation we are unlikely to lose services. All Vaults are stored locally on all devices.

        Having said that - the copy of the vault on the Mac is backed up with TimeMachine.

        [I’ve been a greybeard sysadmin and use 3,2,1 even at home]

    • qaz@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      2 months ago

      A couple of questions

      1. How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?

      2. Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?