It never made sense to me to put password managers in the cloud. Regards to what you intend it to do, you’re making it accessible to a wider audience than necessary. And yet, I’m using iCloud. It’s time for a change.

I’m thinking of just running a locally hosted password manager on my home server and letting my devices sync with it somehow when I’m at home. I have a VPN into my home network when I’m away that automatically triggers when I leave the house, so even that’s not that big an issue, but I’m really not familiar with what’s gonna cleanly integrate with all my stuff and be easy to use. All I know is I wanna kill the cloud functionality of my setup.

I already have a jellyfish server so I figured I would just throw this onto that. Any suggestions?

      • kebab@endlesstalk.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        What’s the issue of exposing this one to the internet? Even if the database gets leaked somehow, your passwords are still protected by a hopefully strong master password + strong encryption

        • dis_honestfamiliar@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          I guess it’s due to unnecessary risk and lazyness of not wanting to get a domain for TLS. Mostly the unnecessary risk, like why expose it when I don’t have to.

          • kebab@endlesstalk.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            Because it lets you sync your passwords anytime, without having to connect to the VPN first, which saves time. And the risk of data leak is not really there since the passwords are encrypted by a strong master password anyways. With Vaultwarden, you can host your database even publicly and share it on Lemmy and nothing would happen, provided you use a strong master password, which you definitely should.

  • dr-robot@fedia.io
    link
    fedilink
    arrow-up
    52
    ·
    4 months ago

    Why not use KeepassXC? It’s a completely local encrypted db but it integrates with cloud storage apps like nextcloud for sync. It has plugins for integration with Firefox and KeepassAndroid is pretty smooth on the current Android OS.

    • unexposedhazard@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      15
      ·
      4 months ago

      Yup this is the way. The resulting .kdbx database file is encrypted so you can even synchronize it over an untrusted provider. Otherwise you can use something like syncthing to keep it strictly peer to peer.

    • glitching@lemmy.ml
      link
      fedilink
      English
      arrow-up
      14
      ·
      edit-2
      4 months ago

      this one, OP. no need to introduce the horror that’s a:

      • hosted app (why?!)
      • client app is electron crapware
      • the client app doesn’t even have full functionality, you have to use the web UI for some tasks

      edit: I’m obviously speaking about the bitwarden/vaultwarden horror. keepassXC is none of them things.

      • null_dot@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        KeepassXC is the only thing that makes sense to me.

        I don’t want all my passwords stored with some huge target like lastpass or bitwarden.

        Encrypted local (and synced) DB is the only way.

    • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.social
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      4 months ago

      Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.

      • Headless server
      • Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user’s session
      • Provides a range of search, list, and get commands
      • Minimal dependencies and small code base make rook reasonably auditable

      You might be interested in rook if you’re a KeePassXC user. Why might you want this instead of:

      • Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync’ing when passwords change.
      • One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they’re limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
      • KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
      • The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.

      Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.

      • not_amm@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Damn, that sounds very interesting! The use of a Keepass DB instead of a new one makes it great to have as option. It’s something I hadn’t think about for a long time.

        I’ll check it out later and maybe install it after I restore my server, I’m planning to reduce my attack surface too:)

  • Takahe@lemmy.nz
    link
    fedilink
    English
    arrow-up
    26
    ·
    4 months ago

    I use keepass (KeepassXC on desktop, KeepassDX on Android but I’m sure there is an IOS client too) I sync the database between all my devices and my server (hub and spoke) with Syncthing

    • GreatBlueHeron@piefed.ca
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      4 months ago

      I’ve been using various versions of keepass for ever. Until recently I had the database on Google drive. It’s now local and sync’d with syncthing. It’s a bit “different”, but once you get used to it, it works very well.

    • alienscience@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      I also use KeepassXC and Synthing together and I am very happy with this combination.

      One tip that I have, if you are worried about the security of the database file being shared, is to get 2 Yubikeys and use these, along with a strong passphrase, to protect the database file.

      • 4k93n2@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        theres also the option of using a “key file” with Keepass, which can be any file, an mp3, an ebook or whatever, and then you select that file when youre entering your password. so as well as someone trying to brute force your password they also have to guess what key file youre using, which would be next to impossible if you had a folder full of hundreds of files

  • AtariDump@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    4 months ago

    Is the data super important to you?

    Let someone else host it.

    Bitwarden in the cloud.

    Edit: Bitwarden paying the monthly/yearly fee to BW. I wasn’t implying trying to host it yourself in the cloud.

    • Engywook@lemmy.zip
      link
      fedilink
      English
      arrow-up
      15
      ·
      4 months ago

      Agreed. Unless your setup and security practices is flawless, I think passwords are better managed by specialists paid for it.

      • Lv_InSaNe_vL@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Your security will never be flawless. Human nature is to slip up every once and a while, and security is an ever evolving game of cat and mouse and even the professionals who spend their entire careers defending infrastructure are constantly playing catch-up.

        I would never host my passwords locally because I know my security at home is nowhere near the security of a professional platform, especially one as trusted as Bitwarden. My dumb family photos and personal git repo? Sure. But Bitwarden holds passwords to my bank, government websites, work stuff, my credit cards, etc.

        Waaay too much risk for me, and if anyone is looking at this i would recommend that you seriously consider what kind of liability you are really bringing on.

    • wise_pancake@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      Passwords are one I happily pay for someone else to worry about

      That’s about my most valuable digital data

    • tmpod@lemmy.pt
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      4 months ago

      This. And to add to what other commenters have said, by using Bitwarden and paying for their Premium plan (very cheap, just $10/year), even if you don’t use all their features, you’re supporting a good project. It’s critical infrastructure, I think the price is more than fair.
      Either way, you should always make periodic backups from any cloud service you use, encrypted of course.

        • tmpod@lemmy.pt
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          Yes! Oh my, I’m silly; that was precisely my point and I managed to mess it up 🙃

          Thank you for the correction!

    • WQMann@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      +1 to this; Time spent on your setup is an important factor too.

      The more important your data is, the more time you are going to need to spend maintaining your system to ensure security, backups and fail-overs. Not everyone has luxurious amount of time to spend on their home-lab everyday.

      • IsoKiero@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        I did self-host bitwarden and it’s not that bad to keep updated and running after initial setup (including backups obviously) but it still requires some time and effort to keep it running. And as I was the only user for the service it just wasn’t worth the time spent for me (YMMV) so I switched to their EU servers and I’ve been a happy user ever since.

        What I should do is to improve local backps on that, currently I just export my data every now and then manually to a secured storage, but doing it manually means that there’s often too long time between exports.

    • WQMann@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      Well, not wrong that it solves the problem, but with data breaches happening frequently, I wouldn’t want to repeat 1 single password for all services lol.

      Even if companies hash passwords, it’s still a gamble whether they are using an up-to-date hash algorithm (or if they do even hash it, lol). Plus, generally best to avoid exposing passwords, hashed or not, in the first place.

      • metaStatic@kbin.earth
        link
        fedilink
        arrow-up
        6
        ·
        4 months ago

        I was being facetious. Every site has multiple special requirements to make your password stronger weaker, the odds of being able to use a single one are slim even if you where dumb enough to try.

      • alienscience@programming.dev
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        I do this for sites where I don’t care at all about security. One minor tip, that will protect against automated attacks if the password is cracked, is to add part of the website name into the password (e.g “mystrongp4ss!lemworld”) .

        A human could easily crack it, but automated systems that replay the password on different sites would probably not bother to calculate the pattern.

        • nelson@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          If just one or those passwords gets leaked you might find a lot of other ones get cracked as well.

          It may not be sites that you care about. But using a password manager is a lot less effort and a lot safer than whatever technique the average Joe will come up with.

          Any password that leaks which could indicate a potential system ( e.g.: sitename in lower/upper/leetspeak) makes the whole thing even more vulnerable.

          Just use something. Bitwarden, vault warden, keepassxc, …

          Knowing my social circle I’d recommend bitwarden. Even paying for it costs a measly 10$/year, while the free version is very usable in itself. And generating passphrases or 32char passwords will be a lot safer than whatever the hell they can come up with.

          Just avoid the default browser ones, big tech and LastPass.

          • Lv_InSaNe_vL@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            just use something

            This! I am an IT admin and inam constantly begging my coworkers to use a password manager, any password manager. My company will pay for you to use Bitwarden but if you don’t want to do that at least use the password manager built into chrome/edge. Please, I am begging you to use secure passwords and save them in a password manager.

            (Obviously not you fellow Lemmy users I’m sure y’all have too notch security practices. Just venting lol)

  • SanndyTheManndy@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    4 months ago

    KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.

    • Lka1988@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      I do the same thing on my laptop and gaming PC. My only beef with KeePassXC is that they refuse to implement WebDAV, despite the OG KeePass having it. Otherwise it’s fantastic.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    4 months ago

    I look at it like this:

    • I don’t absolutely trust the security of my server. Sure, it hasn’t had a breach…yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It’s secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo’d with only a couple that are linked.
    • Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.
    • Confirmation bias…I’ve been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.

    While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it’s better to defer to more secure options when dealing with highly sensitive data.

    • philpo@feddit.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Bitwarden is absolutely solid,yes.

      Local server wise: If OP uses it in a local only setup behind a proper VPN implementation from my point of view the risk is acceptable. It’s not that hard to secure a home server in a way that Vaultwarden is not at risk - and when you’re so compromised that it is, then the attacker can easily use other vectors to gain the same data (RAt,keyloggers, etc.)

  • Lka1988@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    14
    ·
    4 months ago

    I use KeePass (Keepass2Android, KeePassXC, OG KeePass, and KeePassium) for everything. Been using KeePass in general for 20-ish years.

    Recently, I decided to export all of my passwords from Firefox, Chrome, and Edge, import the data into my KeePass database under their own folders, then delete everything from the browsers. That way I can move entries that weren’t already in the database to their respective locations in the database hierarchy, delete duplicates, and change insecure passwords.

    The database is hosted on my phones (work and personal), laptop, gaming PC, and a server at home, all synced with Syncthing. My work laptop also has Portable KeePass that accesses the database via WebDAV to my server.

    • ClydapusGotwald@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      This is what I did. Once Firefox did something and wiped my passwords from sync only way I got them back was I had an old laptop I didn’t use often that was synced to my account. Now I use keepass that’s saved locally and a backup on my nas & flashdrive.

  • halcyoncmdr@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    4 months ago

    I switched to Bitwarden after the LastPass stuff a couple years ago, and I just got around to installing Vaultwarden on my TrueNAS system at home. Using a single Cloudflare Tunnel to handle secure external connections for that and other services like Emby easily. Took a little bit to setup following some guides, but has been working flawlessly for me and some friends. You can use the regular Bitwarden apps and extensions since they natively support self hosting.

  • kowcop@aussie.zone
    link
    fedilink
    English
    arrow-up
    8
    ·
    4 months ago

    I don’t really see the problem with having the password manager in the cloud if it is protected by 2FA. I tried vaultwarden (self hosted) about a year ago and the showstopper was that I couldn’t store a new password when off LAN or without first connecting the VPN. I am sure there are on demand vpn type services, but it was clunky. It would have been great it if would work locally on the phone then sync the password to the vault when it came back online

  • radar@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    4 months ago

    I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the git history keeps the old encryption anyways.

  • ikidd@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    If you’ve been using passkeys, you’ll need to generate new ones when you switch. AFAIK, they aren’t exportable from Google or Apple. Which, among other reasons, is why I’ll just stick to high-entropy passwords. I’ve had some sites like Amazon try to sneakily make me register passcodes, I’ve had to go back and tear them out before they screw me somehow.

    • yo_scottie_oh@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      try to sneakily make me register passcodes

      Can you expand on this? I’m not sure what this means. Is it like instead of a full fledged password, just a four digit PIN or something? Thanks.

      • ikidd@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        For some reason, when I registered my phone number for delivery notifications, it made a passkey and registered it with my account. It never prompted me to save the passkey, so I had no idea where it was supposed to be used. I immediately deleted it because I was concerned I wasn’t going to be able to log in if I logged out without knowing what that passkey was and had it in my password manager.

  • mbirth 🇬🇧@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    If you’re happy with how Apple Password works for you, I can recommend StrongBox. It keeps all data in a KeePass2 database and integrates into Apple’s AutoFill API. That means it feels almost native when using it. No browser plugin needed. (At least not for Safari.) And you can decide how you sync the database file.

  • 4am@lemmy.zip
    link
    fedilink
    English
    arrow-up
    4
    ·
    4 months ago

    Self hosting a password manager is great, but be sure to read up on keeping it secure, and don’t store anything important in it until you have working, tested backup solution. And re-test it frequently in a non-destructive way.

    If you lose your password storage to a disk failure or something, you’re gonna be hurting for a while.