166
Why self host a password manager?
(programming.dev)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 08 Oct 2024
166 points (96.6% liked)
Selfhosted
40183 readers
466 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
A couple of questions
How do you store a driver's license in Bitwarden? Last time I checked they didn't support file storage. Do you just put it in the cloud storage?
Considering Bitwarden is E2EE, what would be the benefit of storing it at another company in case they are hacked?
Storing Drivers Licence: Was answered elsewhere. Bottom line… Bitwarden seems like it can store other types of data. Note that I don’t use Bitwarden yet, but have experience with Enpass and 1Pass, both of which can store all sorts of data.
Why separate storage if Bitwarden is E2EE? You are placing all your trust in a single organization - Bitwarden. If they get hacked, then it is possible for the hackers to poison their software to deliver master passwords (hacks of s/w repositories has happened). I prefer to separate encryption from storage so a hack in both is required to get my data. Note that I do the same for offsite backups to Glacier/S3. I use Arq to do the backup and encrypt the files, then send them to S3 for storage.
The 2023 IBM Report on Cost of Data Breeches indicated that the average time for a company to discover a breech is about 200 days, and on average another 70 days to remediate. That keeps me up at night in my day job as security dude.
I didn't really consider the possibility of the client being compromised yet, good point.
Lastpass was hacked and might have lost control of some data https://blog.lastpass.com/posts/2022/12/notice-of-security-incident
1Pass hasn’t been hacked directly, but they were affected by the Okta https://blog.1password.com/okta-incident/
(One of the most common vectors for hacks is through your vendors - see Target https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/)
Dropbox had an unauthorized access, but the seemed on top of it. https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
Dropbox also has had a more significant data breech, but a while ago. https://www.twingate.com/blog/tips/dropbox-data-breach#
Overview of all password manager breeches! https://bestreviews.net/which-password-managers-have-been-hacked/
They do support file storage. I've been using that for years for storing small files related to certain accounts an such.
Good to know, thanks. I haven’t actually started looking for the Enpass replacement yet, but it sounds like Bitwarden will be a lead contender.
I've apparently been missing this button for several years. Thanks!