I’m going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden’s paid tier is only $10 a year which I’m happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn’t need any additional hardware.

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Accessing Vaultwarden through a VPN

    Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.

    • k4j8@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      I have my Vaultwarden public so I can use it at work too, but my firewall blocks all external IPs except my work’s IP.

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Vaultwarden is one of the few services I’d actually trust to be secure, so I wouldn’t worry if you update timely to new versions.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        I hope it gets security audited one day, like Bitwarden was.

        • Chewy@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.

          Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.

          They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            That’s a good point. I didn’t consider the fact that all the encryption is done client-side, so that’s the most important part to audit (which Bitwarden has already done).