I pay Bitwarden the tenner a year as I have no reason to distrust them and they're definitely providing a more reliable, securer service than I can self-host.
I also do an encrypted export once per week and store that export to an encrypted cloud based service and an encrypted USB stick. Takes 2 minutes.
If a FOSS project provides easy self hosting but also a paid hosting I usually go for that to support the project and gain something at the same time. Not only for password managers but any service.
Bitwarden's free version is enough for my purposes, but I didn't realize they had a $10/yr plan. That seems worth paying for, I'll have to look into it.
I selfhost vault warden, and in all honesty, it's just painless. I do reverse proxy it, but you could also just setup wireguard or Tailscale at home and keep it even more secure that way.
The reason I chose to selfhost is because I want to be in as much control as possible of my data. I chose Vault warden because it's fully featured and super easy to deploy the server, ridiculously so.
Now,if anyone was to ask me if they should selfhost Bitwarden or just use their hosted service, I'd suggest to take the second option, for 2 reasons:
1.- it's even easier and just works 2.- if you choose the paid tier it has some nice features and you help the project stay alive
I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.
If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.
Do you recall the rational for 1password?
I can imagine the enterprise/business options are better than bitwarden but as an individual user I don't need that and would only have the individual plan. It's a little over twice the price of BitWarden and while every company I've worked at in recent years has had 1password i don't see it mentioned on here anywhere near as often as BitWarden.
I self host Bitwarden and it's free to self host. You only have to pay for a license if you need multiple users or want to use their cloud services, I believe. My instance is 100% self hosted and completely isolated from the internet, and it works fine.
I self host it because I self host everything, but for credential managers I would never trust any 3rd party closed source utility or cloud service. Before I used a password manager I tracked them all manually with a text file and a TrueCrypt volume. I think giving unrelated credentials to 3rd parties is asking for trouble - they definitely don't care as much about them as you do!
If you're going to self host any credential manager, make sure you have an appropriate backup strategy, and make sure you have at least one client synced regularly so that you can still access passwords if the server itself dies for some reason.
You only have to pay for a license if you need multiple users or want to use their cloud services, I believe.
AFAIK you can have multiple users for free when self-hosting, and the features are essentially the same as the free hosted version. You need to pay if you want to get the premium features or share passwords across multiple users using an organization. Essentially the pricing is the same as the hosted version.
I'd recommend Vaultwarden for a small-scale self-hosted solution. It's not Bitwarden, but it's fully API-compatible so you can use all the Bitwarden clients and browser extensions. Self-hosted Bitwarden is quite a bit heavier than Vaultwarden since it's designed for large-scale usage (like for an entire company of tens of thousands of people)
I recommend against hosting a password manager yourself.
The main reason is self hosted systems require maintenance to patch vulnerabilities. While it's true that you won't be on the main list if e.g. bitwarden gets hacked, your data could still be obtained or ransomed by a scripted attack looking for e.g. vulnerable VaultWarden servers (or even just vulnerable servers in general).
Using professional hosting means just that, professional hosting with people who's full time job is running those systems and keeping people that aren't supposed to be there out.
Plus, you always have the encryption of the binary blob itself to fall back on (which if you've got a good password is a serious barrier to entry that buys you a lot of time). Additionally vaults are encrypted with symmetric crypto which is not vulnerable to quantum computing, so even in that case your data is reasonably safe... And mixed in with a lot of other data that's likely higher priority to target.
I access my Vaultwarden server via Cloudflared tunnel while I'm away from home network.
You'll learn pretty quickly that a large chunk of self-hosting people are the types that are just terrified of having things be outside their control, which by extension means they are terrified of other people that aren't them running infrastructure. 🫠
I switched from Lastpass to 1Pass and it was pretty miserable. I then swtiched to Bitwarden. It's not perfect, but it's better than LP and 1Pass.
The reason you'd want to self-host is so that nobody has access to your data but you. "The cloud" is just someone elses computer"
I self host services as much as possible for multiple reasons; learning, staying up to date with so many technologies with hands on experience, and security / peace of mind. Knowing my 3-2-1 backup solution is backing my entire infrastructure helps greatly in feeling less pressured to provide my data to unknown entities no matter how trustworthy, as well as the peace of mind in knowing I have control over every step of the process and how to troubleshoot and fix problems. I’m not an expert and rely heavily on online resources to help get me to a comfortable spot but I also don’t feel helpless when something breaks.
If the choice is to trust an encrypted backup of all my sensitive passwords, passkeys, and recovery information on someone else’s server or have to restore a machine, container, vm, etc. from a backup due to critical failures, I’ll choose the second one because no matter how encrypted something is someone somewhere will be able to break it with time. I don’t care if accelerated and quantum encryption will take millennia to break. Not having that payload out in the wild at all is the only way to prevent it being cracked.
Lots of people like and recommend Bitwarden. I think followed by KeePass on second place.
I self-host stuff because I can, because I learn something while doing it and it gives me control. And I'm running that server anyways, so I might as well install one more service on it. If you don't want to spend your time managing and maintaining servers and services, go for the official (paid) service. That'll do, too.
If you're worried about your internet connection going down, either use a VPS in a datacenter or just use software that syncs to your devices. I think Bitwarden does that, your passwords will be available without an internet connection to your server. They just won't get synced until the server is reachable again.
Thanks, I did consider the syncing would be fine. But if the reason to do it is just hobbying then I'll pass, I have too many hobbies at this point and managing what I'm already hosting is giving me enough of a scratch for that itch
I run vaultwarden in a docker container and I can't say I've touched it since then. Its as much maintenance as all the other services I run. Reboot the server quarterly to make sure patches are applied. Docker containers patch nightly.
Sure. I think there are some areas where self-hosting is kinda mandatory because other solutions don't fulfill my requirements. But I don't think a password manager is part of that. It stores the passwords encrypted in the cloud anyways, $0-$10 a year isn't much and I think Bitwarden has a good track record and you'll be supporting them. Self-hosting is a nice hobby and I think integral part of a free and democratic culture on the internet. But it doesn't have to be every tiny tool and everyone. Do it if you like, otherwise it's fine if you support open source projects by paying a fair price if you want convenience and they offer a good hosted service.
Appreciate the input - that's exactly where my heads at right now. Didn't expect so many answers - really glad I asked, been very interesting reading different folks views on this.
you become fully in charge of your passwords instead of relying on someone else
TL;DR:
Is there an easy way to export passwords from LastPass to another service, self-hosted or otherwise? I’ve been wanting to move away from my current manager but have been reluctant due to this.
Yes. It has been a while since I moved (whenever the first breach was), but I exported from lastpass and imported to Bitwarden with minimal issue, I think I had to add a column.
Why not a piece of hardware instead of self hosting, cloud hosting, etc?
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!