166

I'm going to move away from lastpass because the user experience is pretty fucking shit. I was going to look at 1pass as I use it a lot at work and so know it. However I have heard a lot of praise for BitWarden and VaultWarden on here and so probably going to try them out first.

My questions are to those of you who self-host, firstly: why?

And how do you mitigate the risk of your internet going down at home and blocking your access while away?

BitWarden's paid tier is only $10 a year which I'm happy to pay to support a decent service, but im curious about the benefits of the above. I already run syncthing on a pi so adding a password manager wouldn't need any additional hardware.

you are viewing a single comment's thread
view the rest of the comments
[-] qaz@lemmy.world 1 points 2 months ago

A couple of questions

  1. How do you store a driver's license in Bitwarden? Last time I checked they didn't support file storage. Do you just put it in the cloud storage?

  2. Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?

[-] wth@sh.itjust.works 4 points 2 months ago

Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.

Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.

The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.

[-] qaz@lemmy.world 2 points 2 months ago* (last edited 2 months ago)

I didn't really consider the possibility of the client being compromised yet, good point.

[-] wth@sh.itjust.works 1 points 2 months ago

Lastpass was hacked and might have lost control of some data https://blog.lastpass.com/posts/2022/12/notice-of-security-incident

1Pass hasn’t been hacked directly, but they were affected by the Okta https://blog.1password.com/okta-incident/

(One of the most common vectors for hacks is through your vendors - see Target https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)

Dropbox had an unauthorized access, but the seemed on top of it. https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign

Dropbox also has had a more significant data breech, but a while ago. https://www.twingate.com/blog/tips/dropbox-data-breach#

Overview of all password manager breeches! https://bestreviews.net/which-password-managers-have-been-hacked/

[-] 486@lemmy.world 3 points 2 months ago

How do you store a driver’s license in Bitwarden? Last time I checked they didn’t support file storage. Do you just put it in the cloud storage?

They do support file storage. I've been using that for years for storing small files related to certain accounts an such.

[-] wth@sh.itjust.works 2 points 2 months ago

Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.

[-] qaz@lemmy.world 2 points 2 months ago

I've apparently been missing this button for several years. Thanks!

this post was submitted on 08 Oct 2024
166 points (96.6% liked)

Selfhosted

40716 readers
395 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS