I am looking into password managers, as number of my accounts are increasing. Currently I am weighing two options:
- Host Vaultwarden on a VPS, or
- Use the free bitwarden service.
I want to know how they are in practical aspects.
While I am fine self-hosting many services, password managers seem to be one of the most critical services that should not admit downtime. I surely cannot keep it up, as I need to update it time to time.
On the other hand, using bitwarden might require some level of trust. How much should I trust the company to use the free service? How do I know if my passwords would be safe, not being exposed to the wide net?
I want to gauge pros and cons, are there aspects I missed? How are your opinions on this? If you are self-hosting vaultwarden, how do you manage the downtime? Thanks in advance!
You must log in or # to comment.
Bitwarden is dirt cheap. I can never host and be as reliable as they are for that price.
I enjoy self hosting, but what tipped the scales for me in favor of using Bitwarden’s servers is that I’m 100% confident I’m not as good as hardening my system from being compromised as they are. The vault is going to be encrypted anyway, and I think there’s a lower chance of it falling into the wrong hands if it’s hosted with Bitwarden. Same reason I don’t self-host email.
Plus Bitwarden is a cool company and the product is open source, and the premium features are unreasonably low priced.
I had a similar dilemma and just went with bitwarden because I don’t trust myself not to fuck up. Bitwarden can’t access the passwords without my master pw (afaik) so I feel safe knowing that. I use it on all my devices so it gets synced there and even if the service is down, I have my passwords.
I’ll self host it when I reach the next level of paranoia.
If I get hit by a bus, then the passwords for the things that my wife needs to settle things gets sent to her, and the infra isn’t something that I maintain and could be down.
Worth $10/yr, by far.
That is a service they offer? Man that’s amazing, I gues I am going to update!
There’s a dead man option.
I have my password stored as a QR in an envelope. With instructions for Bitwarden. Never heard about the dead man option.
add keepassxc to the list. I’ve avoided it for the longest times because I remember the horror that was the OG keepass. this is modern software, minimal footprint (miniscule compared to bitwarden’s electron crap), easy to use, the db is one file that’s easily syncthing-ed around, browser extensions, etc.
There’s not a need to have vaultwarden up all of the time unless you use new devices often or create and modify entries really often. The data is cached on the device and kept encrypted by the app locally. So a little downtime shouldn’t be a big issue in the large majority of cases.
Bitwarden does my OTP as well. You don’t need the servers for that?
Do you have a proper backup solution? If you have a catastrophic data error, can you still recover? If not, just choose the hosted infrastructure.
Self-hosting is great. I love it. But when it comes to critical things that you absolutely cannot fuck up, I would rather trust a consumer based solution. If you fuck up your passwords and they’re gone, it’s going to hinder you significantly more than losing sleep about some rando having all your passwords if they break scrypt encryption.
If you have a catastrophic data failure, then you can just use the vault stored on a client to restore it, even if you don’t have backups.
Nice! I was unaware that you could do this. Cheers.
Yeah, it says on their website you can export it from any Bitwarden app, and you can also do it from the CLI if you wanted to for some reason.
Probably be easier in case of emergency to do it from the browser extension though, since you’re gonna have to set up the Vaultwarden server anyway and import the data.
Just a PSA for anybody reading the thread, though it doesn’t really help with the question at hand… On the very slim chance that your workplace uses Bitwarden Enterprise it’s worth knowing that every licensed user gets a free family plan that can be tied to an existing personal account, provided it’s hosted in the same region.
We do use it but very few of our own users are even aware of the perk so I like to spread it around when I get the chance!
Maybe worth to mention that bitwarden also propose bitwarden.eu to host data in Europe. I’ve used bitwarden.com for years, and switch to bitwarden.eu a few month ago because of reasons, you know…
If you’re planning on getting more people than yourself into the password manager, it may be worthwhile to pay for a family plan. BitWarden is really low-cost and they publish their stuff as FOSS (and therefore are worth supporting), but crucially you don’t want to be the point of technical support for when something doesn’t work for someone else.
That said, I use Vaultwarden only as backup (manually bring the server online and sync to my phone now and again), and my primary password manager is through Keepassxc.
that was my thinking too, if something happened to me I dont want all my wifes passwords to be locked out so I made her an admin on the account as well to be able to continue paying for the service or export her passwords
Vaultwarden has an “emergency access” feature so if something happens to me my wife can take over the account.
I also added the kids to our “organization” but didn’t give them write permissions to their passwords yet so they can’t accidentally change something.
I’m sure official bitwarden had those options too.
I self-host Bitwarden, hidden behind my firewall and only accessible through a VPN. It’s perfect for me. If you’re going to expose your password manager to the internet, you might as well just use the official cloud version IMO since they’ll likely be better at monitoring logs than you will. But if you hide it behind a VPN, self-hosting can add an additional layer of security that you don’t get with the official cloud-hosted version.
Downtime isn’t an issue as clients will just cache the database. Unless your server goes down for days at a time you’ll never even notice, and even then it’ll only be an issue if you try to create or modify an entry while the server is down. Just make sure you make and maintain good backups. Every night I stop and rsync all containers (including Bitwarden) to a daily incremental backup server, as well as making nightly snapshots of the VM it lives in. I also periodically make encrypted exports of my Bitwarden vault which are synced to all devices - those are useful because they can be natively imported into KeePassXC, allowing you to access your password vault from any machine even if your entire infrastructure goes down.
The bitwarden vaults themselves are encrypted. So I’m not sure what there is to not trust with bitwarden, as even if files were stolen, they are encrypted so they’re largely useless.
I pay for bitwarden premium because it supports the development of a good open source project.
It’s important to specify that the items are encrypted using a key derived from your password, so Bitwarden themselves don’t have access to your passwords even if they wanted to.
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
This. I love self hosting services, but anything that I 100% can’t live without isn’t one of them. Because I don’t have the funds for proper redundancy/high availability, and my backup practices at home are… Not ideal. I’ve had a couple brushes with data loss due to gaps in backups, lack of monitoring for impending hardware failures, and had 2 disks suddenly die together in a raid array, all in over a decade of self hosting.
I have cold backups of most of my critical services, but they’re not nearly regular enough for me to trust my passwords to myself.
I have used the free Bitwarden now for untold years. It not only houses passwords for personal applications, I use it to keep track of my business account passwords as well. The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.
There is a certain level of trust for whatever option you choose. If you use Bitwarden free, then you have to trust that Bitwarden will keep your data is safe on their servers. If you self host, the onus of trust lies in you’re ability to secure your server, and to the extent that you trust your host as well. The latter option leaves me a bit queasy, so I do not selfhost my passwords in a selfhosted vault.
Others may have more trust in their security skills than I do. LOL There’s just a lot of sensitive data I have housed within Bitwarden free. Selfhosting it would keep me up at nights.
The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.
I think the new UI is pretty terrible. I didn’t know until you mentioned it, irmadlad@lemmy.world, that there was an option to revert. I can’t find it in the settings - how does one revert to the prior UI?
I self host as well as use bitwardens service.
I pay $10 a year, and never have I had access issues with it.
My self hosted instance houses everything for my other self hosted services.
I can also have my Bitwarden duplicated to my self hosted instance.
However, the only way to access my Vailtwarden instance is via my network. And for my use case, this is perfect.
Neither of them have I had any downtime; like others have said it’s anecdotal.
Vaultwarden allows a bit of downtime, the vault is cached by the clients
When the server is not reachable, no writes are allowed
