Selfhosted

My approach to this is as follows:

• the password manager is probably the most important and often used piece of software I own. We (wife and I share the vault) store everything important/private in there - bank details, hundreds of passwords, passport details, drivers licence etc. It is used many times a day by us both.
• Loss of control of this data would be catastrophic, so I took its security very seriously.
• No one company can be trusted with our data, because they all get hacked or make mistakes at some point.

I’m the security dude for a cloud service provider in my day job, so my goal was to use Separation of Concerns to manage my passwords. I therefore split the software from the storage, choosing software from one company, and storage from a second company. That way, it requires a failure on both parties at the same time for me to lose control of all the data.

I used to use OnePass for the software, storing the data in Dropbox. But then they removed that option, so I switched to Enpass. Data is stored in a vault on the local device and synced to a folder on Dropbox, which we both have access to from all our devices (Mac’s, iPads, iPhones). The vault is encrypted using our master password and Dropbox only sees an encrypted file. Enpass provides software that runs locally and doesn’t get a copy of my vault file.

If Dropbox has another failure and the vault gets out, then that is not a problem as long as Enpass have properly encrypted it. If Enpass has a bug making the vaults crackable - again it’s not a problem as long as Dropbox doesn’t lose control of my vault file. I update Enpass, the vault gets fixed and life goes on.

Enpass is very usable, but buggy. It crashes every night (requiring me to start it again and log in), and often loses connection to Safari and wont re-establish it. It got better with a previous update, but has got unreliable again. I’m about to look for another.

Cheers.

I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I'm not running anything of critical importance on it.

Password management is the one thing i don't plan to self-host, on the grounds of not putting all my eggs in one basket. If something goes wrong and all my shit is fried or destroyed, I don't want to also fuck around with account recovery for my entire digital existence.

Plus, if something is breached, im more likely to hear news about Bitwarden than I am about compromised server and/or client versions in a timeframe to actually be able to react to it.

I recommend against hosting a password manager yourself.

The main reason is self hosted systems require maintenance to patch vulnerabilities. While it's true that you won't be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).

Using professional hosting means just that, professional hosting with people who's full time job is running those systems and keeping people that aren't supposed to be there out.

Plus, you always have the encryption of the binary blob itself to fall back on (which if you've got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe... And mixed in with a lot of other data that's likely higher priority to target.

1. Because I don't trust companies to hold onto passwords.
2. It syncs. I don't need live access to my home.

you become fully in charge of your passwords instead of relying on someone else

TL;DR:

• you do it to gain more independence and self-reliance

I'm on the bandwagon of not hosting it myself. It really breaks down to a level of commitment & surface area issue for me.

Commitment: I know my server OS isn't setup as well as it could be for mission critical software/uptime. I'm a hobbiest with limited time to spend on this hobby and I can't spend 100hrs getting it all right.

Surface Area: I host a bunch of non mission critical services on one server and if I was hosting a password manager it would also be on that server. So I have a very large attack surface area and a weakness in one of those could result in all my passwords & more stored in the manager being exposed.

So I don't trust my own OS to be fully secure and I don't trust the other services and my configurations of them to be secure either. Given that any compromise of my password manager would be devastating. I let someone else host it.

I've seen that in the occassional cases when password managers have been compromised, the attacker only ends up with non encrypted user data & encrypted passwords. The encrypted passwords are practically unbreakable. The services also hire professionals who host and work in hosting for a living. And usually have better data siloing than I can afford.

All that to say I use bitwarden. It is an open source system which has plenty of security built into the model so even if compromised I don't think my passwords are at risk. And I believe they are more well equipped to ensure that data is being managed well.

I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.

If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.

Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.

Self-hosting removes the risk of somebody compromising Bitwarden’s servers and adding malicious javascript to send off your master password to a bad actor instead of just processing it locally like it’s designed to.

Bitwarden's free version is enough for my purposes, but I didn't realize they had a $10/yr plan. That seems worth paying for, I'll have to look into it.

I still just use :X with vim on a server I can ssh to.

My questions are to those of you who self-host, firstly: why?

Would you give me your password database? I promise to encrypt it!

I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.

If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.

I'm self-hosting a VaultWarden install, and I'm doing it because uh, well, at this point I've basically ended up hosting every service I use online at this point.

Though, for most people, there's probably no real reason to self-host their own password manager, though please stop using Lastpass because they've shown that they're utterly incompetent repeatedly at this point.

Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.

I self-host stuff because I can, because I learn something while doing it and it gives me control. And I'm running that server anyways, so I might as well install one more service on it. If you don't want to spend your time managing and maintaining servers and services, go for the official (paid) service. That'll do, too.

If you're worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won't get synced until the server is reachable again.