Reevaluating my password management

Submitted ⁨⁨21⁩ ⁨hours⁩ ago⁩ by ⁨muusemuuse@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world⁩

It never made sense to me to put password managers in the cloud. Regards to what you intend it to do, you’re making it accessible to a wider audience than necessary. And yet, I’m using iCloud. It’s time for a change.

I’m thinking of just running a locally hosted password manager on my home server and letting my devices sync with it somehow when I’m at home. I have a VPN into my home network when I’m away that automatically triggers when I leave the house, so even that’s not that big an issue, but I’m really not familiar with what’s gonna cleanly integrate with all my stuff and be easy to use. All I know is I wanna kill the cloud functionality of my setup.

I already have a jellyfish server so I figured I would just throw this onto that. Any suggestions?

source

Comments

Sort:hotnew top

lka1988@sh.itjust.works ⁨2⁩ ⁨hours⁩ ago
I use KeePass (Keepass2Android, KeePassXC, OG KeePass, and KeePassium) for everything. Been using KeePass in general for 20-ish years.

Recently, I decided to export all of my passwords from Firefox, Chrome, and Edge, import the data into my KeePass database under their own folders, then delete everything from the browsers. That way I can move entries that weren’t already in the database to their respective locations in the database hierarchy, delete duplicates, and change insecure passwords.

The database is hosted on my phones (work and personal), laptop, gaming PC, and a server at home, all synced with Syncthing. My work laptop also has Portable KeePass that accesses the database via WebDAV to my server.

source
- ClydapusGotwald@lemmy.world ⁨1⁩ ⁨hour⁩ ago
  This is what I did. Once Firefox did something and wiped my passwords from sync only way I got them back was I had an old laptop I didn’t use often that was synced to my account. Now I use keepass that’s saved locally and a backup on my nas & flashdrive.
  
  source
- Cyber@feddit.uk ⁨1⁩ ⁨hour⁩ ago
  This
  
  x10
  
  source
4k93n2@lemmy.zip ⁨2⁩ ⁨hours⁩ ago
if you need to share passwords with other people and do that often then that would be the only reason i would recommend a server-client based password manager. otherwise theres too many points of failure for my liking, especially for something that i use on a daily basis.

KeePass on the other hand is just a single file thats stored locally and all you need is an app to read it. you dont need an internet connection or a VPN to access it remotely. your wifi could be down, even your power could be out and you would still have access to your database

being able autofill desktop program logins was the main reason i switched away from bitwarden years ago

KeepassXC on desktop has a feature called “Autotype” which basically simulates keystrokes to fill in your passwords. theres also an option to integrate with the KeepassXC browser extension, but with Autotype your browser has no connection to your database at all. i kind of feel this is a huge elephant in the room that most other password managers just gloss over. sure, you are getting a lot more convenience by having your browser autofill your passwords but its also adding a huge attack surface just for the sake of a few seconds or a few clicks.

that said, Autotype isnt great at guessing all sites you might be trying to log into but there is this browser extension that will change your browsers window title to show the full site url which KeepassXC can then read

one really underrated feature that i dont see any of the others doing is giving you the ability to use multiple vaults at once. you can have one vault for things that are really important, then everything else in another vault and have different strength passwords/passphrases for each one. i have maybe 300 logins but only around 10% of them are important. its kind of a pain if all you want to do is just log into some random forum but you have to type a long secure master password just to open your vault

source
SanndyTheManndy@lemmy.world ⁨8⁩ ⁨hours⁩ ago
KeepassXC + Syncthing. Using for 2+ years no issues. Have separate database files for each device and merge them as needed.

source
- lka1988@sh.itjust.works ⁨2⁩ ⁨hours⁩ ago
  I do the same thing on my laptop and gaming PC. My only beef with KeePassXC is that they refuse to implement WebDAV, despite the OG KeePass having it. Otherwise it’s fantastic.
  
  source
halcyoncmdr@lemmy.world ⁨7⁩ ⁨hours⁩ ago
I switched to Bitwarden after the LastPass stuff a couple years ago, and I just got around to installing Vaultwarden on my TrueNAS system at home. Using a single Cloudflare Tunnel to handle secure external connections for that and other services like Emby easily. Took a little bit to setup following some guides, but has been working flawlessly for me and some friends. You can use the regular Bitwarden apps and extensions since they natively support self hosting.

source
irmadlad@lemmy.world ⁨8⁩ ⁨hours⁩ ago
I look at it like this:

I don’t absolutely trust the security of my server. Sure, it hasn’t had a breach…yet, but that possibility is inevitable, given the amount of bots that keep trying to get in by the minute. It’s secure, yes, but is it secure enough to entrust the keys to my bank account, my business ventures, et al? IF somebody got the key to my Lemmy account, it would be bothersome, but not cataclysmic since all online accounts are silo’d with only a couple that are linked.

Bitwarden spent a lot of time and money building a large infrastructure that is, imho, far more secure than my little server. Bitwarden has a pretty good track record. They have had some vulnerabilities, even as recent as '23 but these have been remediated.

Confirmation bias…I’ve been using Bitwarden for untold years now and have never had an issue, other than the recent UI theming schema that was so castigated by users that they offered a way to switch back.

While hosting my own password manager would fit right in with the rest of my selfhosting, I think sometimes it’s better to defer to more secure options when dealing with highly sensitive data.
source
Takahe@lemmy.nz ⁨20⁩ ⁨hours⁩ ago
I use keepass (KeepassXC on desktop, KeepassDX on Android but I’m sure there is an IOS client too) I sync the database between all my devices and my server (hub and spoke) with Syncthing

source
- GreatBlueHeron@piefed.ca ⁨20⁩ ⁨hours⁩ ago
  I've been using various versions of keepass for ever. Until recently I had the database on Google drive. It's sync'd with syncthing. It's a bit "different", but once you get used to it, it works very well.
  
  source
- alienscience@programming.dev ⁨17⁩ ⁨hours⁩ ago
  I also use KeepassXC and Synthing together and I am very happy with this combination.
  
  One tip that I have, if you are worried about the security of the database file being shared, is to get 2 Yubikeys and use these, along with a strong passphrase, to protect the database file.
  
  source
  - 4k93n2@lemmy.zip ⁨8⁩ ⁨hours⁩ ago
    theres also the option of using a “key file” with Keepass, which can be any file, an mp3, an ebook or whatever, and then you select that file when youre entering your password. so as well as someone trying to brute force your password they also have to guess what key file youre using, which would be next to impossible if you had a folder full of hundreds of files
    
    source
  - Witziger_Waschbaer@feddit.org ⁨15⁩ ⁨hours⁩ ago
    Same boat for me, works great! I got the NFC Yubikeys which work fine with Android.
    
    source
- Takios@discuss.tchncs.de ⁨17⁩ ⁨hours⁩ ago
  Been usingthe same setup for years as well and Im happy with it, never had any issues with it
  
  source
AtariDump@lemmy.world ⁨20⁩ ⁨hours⁩ ago
Is the data super important to you?

Let someone else host it.

Bitwarden in the cloud.

source
- Engywuck@lemmy.zip ⁨19⁩ ⁨hours⁩ ago
  Agreed. Unless your setup and security practices is flawless, I think passwords are better managed by specialists paid for it.
  
  source
- tmpod@lemmy.pt ⁨8⁩ ⁨hours⁩ ago
  This. And to add to what other commenters have said, by using Bitwarden and paying for their Premium plan (very cheap, just $10/month), even if you don’t use all their features, you’re supporting a good project. It’s critical infrastructure, I think the price is more than fair.
  Either way, you should always make periodic backups from any cloud service you use, encrypted of course.
  
  source
  - Waryle@jlai.lu ⁨50⁩ ⁨minutes⁩ ago
    
    just $10/~~month~~ year
    
    source
- prettygorgeous@aussie.zone ⁨19⁩ ⁨hours⁩ ago
  This is how I view password managers too, even though I have my home server backing up
  
  source
- WQMan@lemmy.ml ⁨17⁩ ⁨hours⁩ ago
  +1 to this; Time spent on your setup is an important factor too.
  
  The most important your data is, the more time you are going to need to spend maintaining your system to ensure security, backups and fail-overs. Not everyone has luxurious amount of time to spend on their home-lab everyday.
  
  source
  - IsoKiero@sopuli.xyz ⁨15⁩ ⁨hours⁩ ago
    I did self-host bitwarden and it’s not that bad to keep updated and running after initial setup (including backups obviously) but it still requires some time and effort to keep it running. And as I was the only user for the service it just wasn’t worth the time spent for me (YMMV) so I switched to their EU servers and I’ve been a happy user ever since.
    
    What I should do is to improve local backps on that, currently I just export my data every now and then manually to a secured storage, but doing it manually means that there’s often too long time between exports.
    
    source
radar@programming.dev ⁨11⁩ ⁨hours⁩ ago
I use GNU pass synced through an internal Gitea. Have wireguard to sync remotely. Works pretty good, I would recommend not setting an expiration on the key, the got history keeps the old encryption anyways.

source
- user8N2elyIDTP3L@lemm.ee ⁨8⁩ ⁨hours⁩ ago
  This is the way to go… though I’ve moved from pass to go pass which is basically the same thing but written in go and looks to be better maintained… also moved from gitea to forgejo since I think gitea has had some maintainer changes over the last couple of years that may not have been in the spirit of remaining fully FOSS
  
  source
kowcop@aussie.zone ⁨19⁩ ⁨hours⁩ ago
I don’t really see the problem with having the password manager in the cloud if it is protected by 2FA. I tried vaultwarden (self hosted) about a year ago and the showstopper was that I couldn’t store a new password when off LAN or without first connecting the VPN. I am sure there are on demand vpn type services, but it was clunky. It would have been great it if would work locally on the phone then sync the password to the vault when it came back online

source
Tramort@programming.dev ⁨6⁩ ⁨hours⁩ ago
Sandpass on sandstorm

It’s dated, but phenomenal (and secure)

source
the_abecedarian@piefed.social ⁨20⁩ ⁨hours⁩ ago
Seafile or nextcloud

source
mbirth@lemmy.ml ⁨20⁩ ⁨hours⁩ ago
If you’re happy with how Apple Password works for you, I can recommend StrongBox. It keeps all data in a KeePass2 database and integrates into Apple’s AutoFill API. That means it feels almost native when using it. No browser plugin needed. (At least not for Safari.) And you can decide how you sync the database file.

source
4am@lemmy.zip ⁨19⁩ ⁨hours⁩ ago
Self hosting a password manager is great, but be sure to read up on keeping it secure, and don’t store anything important in it until you have working, tested backup solution. And re-test it frequently in a non-destructive way.

If you lose your password storage to a disk failure or something, you’re gonna be hurting for a while.

source
ohwhatfollyisman@lemmy.world ⁨20⁩ ⁨hours⁩ ago
i have keepass on only one device. i don’t mind looking up individual passwords and typing them in manually when on other devices.

on the device which hosts keepass, the app is hidden and hoops must be jumped to reach it.

i back up the encrypted password database once a month to a cloud service as insurance against me losing that one device.

it’s not the most convenient setup but i sleep so much easier for it.

source
- 4k93n2@lemmy.zip ⁨7⁩ ⁨hours⁩ ago
  using passphrases instead of passwords can make this a lot easier as well. a lot of times i just glance at a passphrase on my phone and then type the whole thing in one go into my laptop
  
  source
aksdb@lemmy.world ⁨17⁩ ⁨hours⁩ ago
If you don’t have a hard requirement of it being fully (!) OpenSource, then I would recommend Enpass. Relatively pleasing UI that runs native on Win, Mac, Linux, Android and iOS. It has browser plugins for Chrome and Firefox that talk directly to the running fat client (so no multiple authentication with different browsers necessary).

The password db is completely local, but it offeres several sync mechanisms like WebDAV or Dropbox or also iCloud; basically whatever can store files. If it’s a NAS in your home, it simply will sync once you are back home.

It also offers “WiFi Sync”, in which case you designate one machine running Enpass as the server and link other clients to it, then you don’t even need to run a separate hosting for it (but that machine needs to be on and running Enpass when you want to sync, obviously).

It’s basically a less open but much more convenient and beautiful KeePass(XC).

source
- glitching@lemmy.ml ⁨17⁩ ⁨hours⁩ ago
  I used enpass for years and was a happy user. one day it prompted me for some re-authentication bullshit security theater. although in that instant it was an easy task, took me all of 10 seconds, it demonstrated a scary amount of power they had as I couldn’t bypass it and access my data. from that point on, its days were numbered.
  
  the second issue is the export functionality that was seriously lacking and I had to resort to 3rd party converter tools to convert it to keepassXC; no way that flew by their QC, it had to be intentional.
  
  source
  - aksdb@lemmy.world ⁨14⁩ ⁨hours⁩ ago
    On mobile I indeed also had that issue once. However I made sure they can’t lock me out completely. The db is stored using the opensource sqlcipher, so one can open it and extract everything manually, if absolutely necessary. As long as they don’t change this, I am fine. In the worst case that would still be a lot of effort for me, but not impossible.
    
    The export has also improved a lot. You can now also export to JSON which includes all the data one could need.
    
    source
Nibodhika@lemmy.world ⁨17⁩ ⁨hours⁩ ago
It’s strange how I never see this mentioned anywhere, but there’s a way to get unique secure passwords for every site/app without needing to store them anywhere. It’s called LessPass, and essentially generates passwords based on 3 fields (site, username, master password) and works relatively well, because the advantages are quite obvious I’ll list the potential downsides:

If one password is compromised or needs changing for whatever reason you need to increase a counter and need to remember which counter for which site (this is less problematic than it sounds, except in places that have a password policy that forces you to change your password periodically)

Android can store the master password and use fingerprint to input it, but in PC you always have to type your master password which can get annoying.

You need to change your passwords to this new format, which can take a while, and years down the line you’re trying to login somewhere and don’t remember if you’ve already migrated it or not.
source
- MimicJar@lemmy.world ⁨16⁩ ⁨hours⁩ ago
  You also have to keep track the site and how you spell it. For example is it “Microsoft” or “microsoft”?
  
  And keep track of the current name of the site vs the old name. For example am I signing into Microsoft or Live.com or Xbox?
  
  And keep track of my username. Is it my email? Which email? Which username?
  
  I understand the concept but I think if falls apart fast.
  
  source
  - Nibodhika@lemmy.world ⁨15⁩ ⁨hours⁩ ago
    Yup, but most of that is easily solvable by being consistent, e.g. always use lowercase and your email (even if it’s not the login for that site). But yes, you need to know to be consistent so it’s a good point to make.
    
    source
    -> View More Comments