If you've been using passkeys, you'll need to generate new ones when you switch. AFAIK, they aren't exportable from Google or Apple. Which, among other reasons, is why I'll just stick to high-entropy passwords. I've had some sites like Amazon try to sneakily make me register passcodes, I've had to go back and tear them out before they screw me somehow.
this post was submitted on 29 Jun 2025
75 points (96.3% liked)
Selfhosted
48900 readers
693 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
try to sneakily make me register passcodes
Can you expand on this? I'm not sure what this means. Is it like instead of a full fledged password, just a four digit PIN or something? Thanks.
For some reason, when I registered my phone number for delivery notifications, it made a passkey and registered it with my account. It never prompted me to save the passkey, so I had no idea where it was supposed to be used. I immediately deleted it because I was concerned I wasn't going to be able to log in if I logged out without knowing what that passkey was and had it in my password manager.
I use KeePass (Keepass2Android, KeePassXC, OG KeePass, and KeePassium) for everything. Been using KeePass in general for 20-ish years.
Recently, I decided to export all of my passwords from Firefox, Chrome, and Edge, import the data into my KeePass database under their own folders, then delete everything from the browsers. That way I can move entries that weren't already in the database to their respective locations in the database hierarchy, delete duplicates, and change insecure passwords.
The database is hosted on my phones (work and personal), laptop, gaming PC, and a server at home, all synced with Syncthing. My work laptop also has Portable KeePass that accesses the database via WebDAV to my server.
This is what I did. Once Firefox did something and wiped my passwords from sync only way I got them back was I had an old laptop I didn’t use often that was synced to my account. Now I use keepass that’s saved locally and a backup on my nas & flashdrive.
This
x10
if you need to share passwords with other people and do that often then that would be the only reason i would recommend a server-client based password manager. otherwise theres too many points of failure for my liking, especially for something that i use on a daily basis.
KeePass on the other hand is just a single file thats stored locally and all you need is an app to read it. you dont need an internet connection or a VPN to access it remotely. your wifi could be down, even your power could be out and you would still have access to your database
being able autofill desktop program logins was the main reason i switched away from bitwarden years ago
KeepassXC on desktop has a feature called "Autotype" which basically simulates keystrokes to fill in your passwords. theres also an option to integrate with the KeepassXC browser extension, but with Autotype your browser has no connection to your database at all. i kind of feel this is a huge elephant in the room that most other password managers just gloss over. sure, you are getting a lot more convenience by having your browser autofill your passwords but its also adding a huge attack surface just for the sake of a few seconds or a few clicks.
that said, Autotype isnt great at guessing all sites you might be trying to log into but there is this browser extension that will change your browsers window title to show the full site url which KeepassXC can then read
one really underrated feature that i dont see any of the others doing is giving you the ability to use multiple vaults at once. you can have one vault for things that are really important, then everything else in another vault and have different strength passwords/passphrases for each one. i have maybe 300 logins but only around 10% of them are important. its kind of a pain if all you want to do is just log into some random forum but you have to type a long secure master password just to open your vault
Sandpass on sandstorm
It's dated, but phenomenal (and secure)
I switched to Bitwarden after the LastPass stuff a couple years ago, and I just got around to installing Vaultwarden on my TrueNAS system at home. Using a single Cloudflare Tunnel to handle secure external connections for that and other services like Emby easily. Took a little bit to setup following some guides, but has been working flawlessly for me and some friends. You can use the regular Bitwarden apps and extensions since they natively support self hosting.
KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.
I do the same thing on my laptop and gaming PC. My only beef with KeePassXC is that they refuse to implement WebDAV, despite the OG KeePass having it. Otherwise it's fantastic.
I look at it like this:
- I don't absolutely trust the security of my server. Sure, it hasn't had a breach.....yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It's secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo'd with only a couple that are linked.
- Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.
- Confirmation bias...I've been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.
While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it's better to defer to more secure options when dealing with highly sensitive data.
Bitwarden is absolutely solid,yes.
Local server wise: If OP uses it in a local only setup behind a proper VPN implementation from my point of view the risk is acceptable. It's not that hard to secure a home server in a way that Vaultwarden is not at risk - and when you're so compromised that it is, then the attacker can easily use other vectors to gain the same data (RAt,keyloggers, etc.)
I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the git history keeps the old encryption anyways.
This is the way to go.. though I've moved from pass to go pass which is basically the same thing but written in go and looks to be better maintained.. also moved from gitea to forgejo since I think gitea has had some maintainer changes over the last couple of years that may not have been in the spirit of remaining fully FOSS
It's strange how I never see this mentioned anywhere, but there's a way to get unique secure passwords for every site/app without needing to store them anywhere. It's called LessPass, and essentially generates passwords based on 3 fields (site, username, master password) and works relatively well, because the advantages are quite obvious I'll list the potential downsides:
- If one password is compromised or needs changing for whatever reason you need to increase a counter and need to remember which counter for which site (this is less problematic than it sounds, except in places that have a password policy that forces you to change your password periodically)
- Android can store the master password and use fingerprint to input it, but in PC you always have to type your master password which can get annoying.
- You need to change your passwords to this new format, which can take a while, and years down the line you're trying to login somewhere and don't remember if you've already migrated it or not.
You also have to keep track the site and how you spell it. For example is it "Microsoft" or "microsoft"?
And keep track of the current name of the site vs the old name. For example am I signing into Microsoft or Live.com or Xbox?
And keep track of my username. Is it my email? Which email? Which username?
I understand the concept but I think if falls apart fast.
Yup, but most of that is easily solvable by being consistent, e.g. always use lowercase and your email (even if it's not the login for that site). But yes, you need to know to be consistent so it's a good point to make.
Hahaha, that's the point of a password manager. If remembering worked, we wouldn't need any of this.
Also, I have 300+ unique logins.
I have more than 120 electronic identities, impossible to track the counter or to remember the tld of all websites I visit.
The concepts is only useful in a very small and defined scenario.
My point is that of those 120 probably 110 have never been compromised nor forced you to change the password due to expiration policies. The remaining 10 are the ones that require some mental gymnastics, so while the problem exists it's not as serious as it sounds. I probably have more than 120 identities using this method since I've been using it for years, and I don't think I ever had to use the counter, it's a matter of being consistent in how you think about websites, for example if you know how you refer to a site slugify it and use that for the field, so you would use spotify, netflix, amazon-prime.
Why not use KeepassXC? It's a completely local encrypted db but it integrates with cloud storage apps like nextcloud for sync. It has plugins for integration with Firefox and KeepassAndroid is pretty smooth on the current Android OS.
Any iOS app?
Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.
- Headless server
- Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user's session
- Provides a range of search, list, and get commands
- Minimal dependencies and small code base make rook reasonably auditable
You might be interested in rook if you're a KeePassXC user. Why might you want this instead of:
- Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync'ing when passwords change.
- One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they're limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
- KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
- The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.
Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.
Damn, that sounds very interesting! The use of a Keepass DB instead of a new one makes it great to have as option. It's something I hadn't think about for a long time.
I'll check it out later and maybe install it after I restore my server, I'm planning to reduce my attack surface too:)
If you do, use the -k option - it locks access to the rook service to only the user session. Rook works without it, but is more secure with it.
Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.
this one, OP. no need to introduce the horror that's a:
- hosted app (why?!)
- client app is electron crapware
- the client app doesn't even have full functionality, you have to use the web UI for some tasks
edit: I'm obviously speaking about the bitwarden/vaultwarden horror. keepassXC is none of them things.
KeepassXC is the only thing that makes sense to me.
I don't want all my passwords stored with some huge target like lastpass or bitwarden.
Encrypted local (and synced) DB is the only way.
If you don't have a hard requirement of it being fully (!) OpenSource, then I would recommend Enpass. Relatively pleasing UI that runs native on Win, Mac, Linux, Android and iOS. It has browser plugins for Chrome and Firefox that talk directly to the running fat client (so no multiple authentication with different browsers necessary).
The password db is completely local, but it offeres several sync mechanisms like WebDAV or Dropbox or also iCloud; basically whatever can store files. If it's a NAS in your home, it simply will sync once you are back home.
It also offers "WiFi Sync", in which case you designate one machine running Enpass as the server and link other clients to it, then you don't even need to run a separate hosting for it (but that machine needs to be on and running Enpass when you want to sync, obviously).
It's basically a less open but much more convenient and beautiful KeePass(XC).
I used enpass for years and was a happy user. one day it prompted me for some re-authentication bullshit security theater. although in that instant it was an easy task, took me all of 10 seconds, it demonstrated a scary amount of power they had as I couldn't bypass it and access my data. from that point on, its days were numbered.
the second issue is the export functionality that was seriously lacking and I had to resort to 3rd party converter tools to convert it to keepassXC; no way that flew by their QC, it had to be intentional.
On mobile I indeed also had that issue once. However I made sure they can't lock me out completely. The db is stored using the opensource sqlcipher, so one can open it and extract everything manually, if absolutely necessary. As long as they don't change this, I am fine. In the worst case that would still be a lot of effort for me, but not impossible.
The export has also improved a lot. You can now also export to JSON which includes all the data one could need.
view more: next ›