I am looking into password managers, as number of my accounts are increasing. Currently I am weighing two options:
- Host Vaultwarden on a VPS, or
- Use the free bitwarden service.
I want to know how they are in practical aspects.
While I am fine self-hosting many services, password managers seem to be one of the most critical services that should not admit downtime. I surely cannot keep it up, as I need to update it time to time.
On the other hand, using bitwarden might require some level of trust. How much should I trust the company to use the free service? How do I know if my passwords would be safe, not being exposed to the wide net?
I want to gauge pros and cons, are there aspects I missed? How are your opinions on this? If you are self-hosting vaultwarden, how do you manage the downtime? Thanks in advance!
You must log in or register to comment.
Do you have a proper backup solution? If you have a catastrophic data error, can you still recover? If not, just choose the hosted infrastructure.
Self-hosting is great. I love it. But when it comes to critical things that you absolutely cannot fuck up, I would rather trust a consumer based solution. If you fuck up your passwords and they’re gone, it’s going to hinder you significantly more than losing sleep about some rando having all your passwords if they break scrypt encryption.
If you have a catastrophic data failure, then you can just use the vault stored on a client to restore it, even if you don’t have backups.
Nice! I was unaware that you could do this. Cheers.
Yeah, it says on their website you can export it from any Bitwarden app, and you can also do it from the CLI if you wanted to for some reason.
Probably be easier in case of emergency to do it from the browser extension though, since you’re gonna have to set up the Vaultwarden server anyway and import the data.
EDIT: So just to check, I installed Vaultwarden, and I was able to export the vault from both the browser extension and the iOS app, on top of the web UI.
If I get hit by a bus, then the passwords for the things that my wife needs to settle things gets sent to her, and the infra isn’t something that I maintain and could be down.
Worth $10/yr, by far.
That is a service they offer? Man that’s amazing, I gues I am going to update!
There’s a dead man option.
I have my password stored as a QR in an envelope. With instructions for Bitwarden. Never heard about the dead man option.
Vaultwarden allows a bit of downtime, the vault is cached by the clients
When the server is not reachable, no writes are allowed
Just a PSA for anybody reading the thread, though it doesn’t really help with the question at hand… On the very slim chance that your workplace uses Bitwarden Enterprise it’s worth knowing that every licensed user gets a free family plan that can be tied to an existing personal account, provided it’s hosted in the same region.
We do use it but very few of our own users are even aware of the perk so I like to spread it around when I get the chance!
Maybe worth to mention that bitwarden also propose bitwarden.eu to host data in Europe. I’ve used bitwarden.com for years, and switch to bitwarden.eu a few month ago because of reasons, you know…
I self host vaultwarden and its great. Its an easy self host, and in my experience, it has never gone down on me.
That being said, my experience is anecdotal. If you do go the vaultwarden route, realize that your vault is still accessible on your devices (phone, whatever) even if your server goes down, or if you just lose network connectivity. They hold local (encrypted at rest) copies of your vault that are periodically updated.
Additionally, regardless of the route you take you should absolutely be practicing a good 3-2-1 backup strategy with your password vault, as with any other data you value.
This: backups might be a pain to handle. Bitwarden does that for you + redundancy.
Depends on the amount of work the person does. I know I’m a lazy self hoster that takes time to update software.
I enjoy self hosting, but what tipped the scales for me in favor of using Bitwarden’s servers is that I’m 100% confident I’m not as good as hardening my system from being compromised as they are. The vault is going to be encrypted anyway, and I think there’s a lower chance of it falling into the wrong hands if it’s hosted with Bitwarden. Same reason I don’t self-host email.
Plus Bitwarden is a cool company and the product is open source, and the premium features are unreasonably low priced.
The bitwarden vaults themselves are encrypted with your password. So I’m not sure what there is to not trust with bitwarden, as even if files were stolen, they are encrypted so they’re largely useless.
I pay for bitwarden premium because it supports the development of a good open source project.
Edit: fixed phrasing given suggestion below
It’s important to specify that the items are encrypted using a key derived from your password, so Bitwarden themselves don’t have access to your passwords even if they wanted to.
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
This. I love self hosting services, but anything that I 100% can’t live without isn’t one of them. Because I don’t have the funds for proper redundancy/high availability, and my backup practices at home are… Not ideal. I’ve had a couple brushes with data loss due to gaps in backups, lack of monitoring for impending hardware failures, and had 2 disks suddenly die together in a raid array, all in over a decade of self hosting.
I have cold backups of most of my critical services, but they’re not nearly regular enough for me to trust my passwords to myself.
I see, guess I was overly paranoid. Bitwarden sounds good, then!
If in the future you think you might bring family/relations onboard to the password manager, it may be worthwhile to pay for a BitWarden family plan. BitWarden is really low-cost and they publish their stuff as FOSS (and therefore are worth supporting), but crucially you don’t want to be the point of technical support for when something doesn’t work for someone else. Self-hosting a password manager is an easier thing to do if you’re only doing it for yourself.
That said, I use a self-hosted Vaultwarden server as backup (i.e. I manually bring the server online and sync to my phone now and again), and my primary password manager is through Keepassxc, which is a completely separate and offline password manager program.
Edit: Forgot to mention, you can always start with free BitWarden and then export your data and delete your account if you decide to self-host.
that was my thinking too, if something happened to me I dont want all my wifes passwords to be locked out so I made her an admin on the account as well to be able to continue paying for the service or export her passwords
Vaultwarden has an “emergency access” feature so if something happens to me my wife can take over the account.
I also added the kids to our “organization” but didn’t give them write permissions to their passwords yet so they can’t accidentally change something.
I’m sure official bitwarden has those options too.
oh interesting Ill have to look into that! thank you
Bitwarden is dirt cheap. I can never host and be as reliable as they are for that price.
One little bonus for using Vaultwarden is that you get access to premium features for free. But still, I put availability much higher when it comes to password management, so I would go with paid Bitwarden. That is what I did before moving to Keepass.
The Bitwarden clients cache your data locally. So even if your Vaultwarden goes down, you’ll still be able to access your passwords. Just not sync new ones or make changes.
I second Vaultwarden, have been running it for a few years and even had a catastrophic host failure that I recovered from. was able to use the clients on both phone and laptop while building new host
There is a backup image you can run to take backups of the SQLite DB, used that a few times as the DB got tangled.
Also anything you host should have a good 3-2-1 backup strategy
I’d throw in option 3: use a KeePass2 database, sync it using whatever sync tool you like (SyncThing, iCloud, NextCloud, WebDAV, …) and use compatible apps (KeepassXC, Strongbox, etc.)
I migrated from KeePass2 as the the DB would get out of sync and need to be merged back together. Thats why I moved to Vaultwarden, I like having my data on my own stuff
I keep seeing people mentioning Syncthing with KeePass… I use both, but not together, between 3-4 different devices. I have a central Syncthing server to which all devices sync everything, but my KeePass database (keyfile & password protected is stored on Google Drive, in a G Suite Workspace account that I pay for. The keyfile is stored individually on each device that needs it, with a printed out copy (with instructions!) as a backup.
Would my keypass database survive Syncthing the way I have it setup?
I’m using Strongbox on iOS and macOS with iCloud Sync and never had any merge issue. Well, maybe once when I deliberately edited the same entry on two different devices. But during normal use, the sync and merge works great.
I roll it this way, been like this for years and years, fine for my needs
I had a similar dilemma and just went with bitwarden because I don’t trust myself not to fuck up. Bitwarden can’t access the passwords without my master pw (afaik) so I feel safe knowing that. I use it on all my devices so it gets synced there and even if the service is down, I have my passwords.
I’ll self host it when I reach the next level of paranoia.
add keepassxc to the list. I’ve avoided it for the longest times because I remember the horror that was the OG keepass. this is modern software, minimal footprint (miniscule compared to bitwarden’s electron crap), easy to use, the db is one file that’s easily syncthing-ed around, browser extensions, etc.
I have used the free Bitwarden now for untold years. It not only houses passwords for personal applications, I use it to keep track of my business account passwords as well. The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.
There is a certain level of trust for whatever option you choose. If you use Bitwarden free, then you have to trust that Bitwarden will keep your data is safe on their servers. If you self host, the onus of trust lies in you’re ability to secure your server, and to the extent that you trust your host as well. The latter option leaves me a bit queasy, so I do not selfhost my passwords in a selfhosted vault.
Others may have more trust in their security skills than I do. LOL There’s just a lot of sensitive data I have housed within Bitwarden free. Selfhosting it would keep me up at nights.
The only problem I’ve had with Bitwarden is their recent UI retool which ended up causing a huge ruckus among the user base to the point where they gave an option to switch back.
I think the new UI is pretty terrible. I didn’t know until you mentioned it, [email protected], that there was an option to revert. I can’t find it in the settings - how does one revert to the prior UI?
Ok so, I got a popup asking to adjust the Appearance in Settings (Windows/Firefox edition) a little while ago, it seems like it was a month or so ago. I have all the settings there ticked. However, I think what a lot of people who knew, went to their official GitHub and downloaded the previous version’s xpi and sideloaded it. You would have to untick auto updates. That way you can just go back to clicking on the entry in Bitwarden and that autofills instead of having to click the $@#%$$$ ‘Fill’ button. The only caution would be if they upgraded the security components in the new version, meaning the last version may or may not have the same security components baked in.
Yes, the new theme is absolute crap.
