Not sure I understand why you’d want to self host a password manager. Bitwarden has never been breached AFAIK. How is it better or safer to keep if self hosted?

  • charmstrong70@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Bitwarden has never been breached AFAIK.

    What you mean is it hasn’t been breached *yet*.

    All commercial password managers have a huge, fuck off, target on their backs

    Nobody is going to come after some random blokes self-hosted password manager to get access to their Sonarr (I’m trivialising to make the point) as long as if a similar effort would get them into Bitwarden.

    It’s the same principal as bears in the wood - nobody needs to outrun a bear, just your companion

    • Trashrascall@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      OK, thanks for the solid answer. I suppose the core of my question was that pretty much: is it just as secure AND a less likely target than bitwarden. That makes a lot of sense to me. I would probably still worry about the strength of the code , though. Do we know if/how it’s been audited?

      • charmstrong70@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        OK, thanks for the solid answer. I suppose the core of my question was that pretty much: is it just as secure AND a less likely target than bitwarden. That makes a lot of sense to me. I would probably still worry about the strength of the code , though. Do we know if/how it’s been audited?

        I mean, your best having a look at the official Git but, i’d say, access/visibility is the most important.

        Is it on your LAN/not open then even if it was less secure, it’d still be more secure if you know what I mean.

        I host mine on a VPS but it’s behind traefik with authelia (and 2FA). Plan is to get fail2ban setup over the next couple of evenings. SSH is cert only, probably going to change the port too but not sure if that’s really necessary. I’m comfortable exposing on that basis.

          • GeminiKoil@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            What is a tar pit do? Does it maintain logs of people trying to access or something? Sorry I’m not very knowledgeable about this.

            • DubDubz@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              It responds glacially slowly to login attempts, which means the bot trying to automatically break into random servers it crawls to gets stuck trying to login. Thus a tarpit.

      • macrowe777@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The code is as good as bitwardens, and even better, everyone can see the code to review it’s vulnerabilities and fix them.

        What is a major factor is you’re far less likely to be of interest to a hacker. So whilst crunching numbers to crack bitwarden encryption may make some sense…it makes absolutely zero sense to spend that time to hack mine.

        • Trashrascall@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah it sounds pretty appealing. I think I’ll make the switch when my bitwarden sub runs out

        • cryptobots@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Have there been audits if vaultearden code? Or comparison with bitwarden code? Otherwise I am curious on what do you base that code is as good as bitwarden?