Which password manager to use?
-
I haven't seen it mentioned here so I'll throw it out there - 1Password. It's just a very smooth experience that I really appreciate.
1Password is the only one I found that I can share with the family, syncs changes practically instantly, and actually detects login fields on every platform I use it on (Android, Windows, Linux).
-
Correct me if I'm wrong: if something happens to your vaultwarden instance, aren't you at risk of losing everything? I do use bitwarden, but I could never self host it. Too important. ID rather use keepass with syncthing so that more than one of my devices have my passwords
I also self host Vault Warden.
I have my vault automatically exported to Google Drive as an encrypted copy. So worst case I can download from there, and import it to a new password manager or another Bitwarden instance if my server borks. -
I currently use KeepassXC that is synced through NextCloud. The sync isn't very elegant, especially on my phone. So I'm looking for a new password manager, which has a native server sync support that I can self host. What do y'all recommend?
I've been using Bitwarden for years now. Their free tier is amazing, they're rarely down, and it's open source with extensions and apps for every platform.
I tried Proton Pass for a minute while Bitwarden was offline, but quickly ran back to Bitwarden. Proton's extension kept logging out for some reason. I didn't care enough to troubleshoot it.
-
Have you tried syncthing? It works great with keepassxc.
Vaultwarden is pretty easy to self host.
Have been using it for 2+ years with 3 devices, no problem
-
I also self host Vault Warden.
I have my vault automatically exported to Google Drive as an encrypted copy. So worst case I can download from there, and import it to a new password manager or another Bitwarden instance if my server borks.Since I started using a password manager, I've basically forgoten every one of my other passwords. I wouldn't be able to log in to my drive
-
Since I started using a password manager, I've basically forgoten every one of my other passwords. I wouldn't be able to log in to my drive
Same here. But the bitwarden apps have a local copy of the vault. So you can always prevent them from syncing and use it to get the password. Assuming you have your phone still.
You can always have an offsite copy of the vault on a HDD somewhere. It'll be outdated, but at least it'll have the Google account.
-
Same here. But the bitwarden apps have a local copy of the vault. So you can always prevent them from syncing and use it to get the password. Assuming you have your phone still.
You can always have an offsite copy of the vault on a HDD somewhere. It'll be outdated, but at least it'll have the Google account.
Maybe. Why do you self host it? I'm not saying there are no benefits. I just think it's not worth it
-
Maybe. Why do you self host it? I'm not saying there are no benefits. I just think it's not worth it
Bitwarden has features I wanted and was better than the browser password manager I used previously.
I already selfhost other apps so adding another one wasn't an issue. Plus it's free. -
Correct me if I'm wrong: if something happens to your vaultwarden instance, aren't you at risk of losing everything? I do use bitwarden, but I could never self host it. Too important. ID rather use keepass with syncthing so that more than one of my devices have my passwords
That's what backups are for. No matter what solution I use, I would need backups. I used to use LastPass, but that just relied on LastPass to do the backups. I backup the database, but you can also periodically export the data and back that up somewhere securely on your own if you want it in a different format.
-
Yes I agree. I was just offering a counter to the statement that Vaultwarden isnt as safe as Bitwarden. They both are encrypted but my vaultwarden instance is a lot less likely to experience a breach than Bitwarden. The guys with real skill are going after Bitwarden not me.
That's a good point.
Notice, your server is less likely to be targeted.
But much more likely to receive a breach once it's targeted.It's helpful to analog.
You got gold. Thieves are more likely to target a bank, but if they'll know of some gold in your house, it'll be much easier for them to take it from your house rather than from the bank.And now you have to work and make sure people don't find out about the gold in your house. Because once they did it's game over.
-
Doesn't the server just hold an encrypted vault? What could go wrong when the server is compromised? Just thinking out loud I don't know the answer
Let's say I have an unupdated patch and my server is now vulnerable.
This could really happen. I have work and life to worry about and I might not notice.
This vulnerability, could be in the BW instance itself (say the web server or the backend itself), or in the server itself (say an old OpenSSH version), or another service (NextCloud instance hosted in the same server under a different subdomain).
So, first we see it's a big attack surface.
In any of those entrances an attacker could gain access to my server and with it the vault.
It's a short way from there to install a keylogger on the website where BW is hosted, and get my master password ¯_(ツ)_/¯.Now take into consideration that I just sat a couple of minutes to think about this, and I'm not a professional in cyber security or web security. Neither blue nor red team.
A professional, with more knowledge, time, experience and resources, could probably bring up much more things. -
Let's say I have an unupdated patch and my server is now vulnerable.
This could really happen. I have work and life to worry about and I might not notice.
This vulnerability, could be in the BW instance itself (say the web server or the backend itself), or in the server itself (say an old OpenSSH version), or another service (NextCloud instance hosted in the same server under a different subdomain).
So, first we see it's a big attack surface.
In any of those entrances an attacker could gain access to my server and with it the vault.
It's a short way from there to install a keylogger on the website where BW is hosted, and get my master password ¯_(ツ)_/¯.Now take into consideration that I just sat a couple of minutes to think about this, and I'm not a professional in cyber security or web security. Neither blue nor red team.
A professional, with more knowledge, time, experience and resources, could probably bring up much more things.I would just put a server on the internet with only the bitwarden ports open to the internet. And put the server in its own isolated environment. With automatic updates I would be comfortable with this. Even if for any reason the isolated server gets compromised, the server is mostly a glorified sync server.
-
System shared this topic
