Okay so yesterday, I changed my password as a precaution because of the hack, and just now I decided to clean my browser tabs and re login and almost forgot my password. I’m done dealing with passwords.
What password manager do you recommend?
Features I’m looking for
-Open Source
-Can be synced to cloud (I don’t want self host)
-Can be accessed via a browser
-Cross platform, the more platforms, the better
-End to End Encrypted, and Encrypted at rest on my device, also need some way to authenticate before releasing the password, like a pin or biometrics
-Autofill for browser and apps
-Free (can be a freemium model, but I need the base tier to be free, too broke to spend money on this lol)
-Can export the passwords to a file
I never used a password manager before so sorry if I seem like a noob.
I know I could google it, but I want the lastest info, not some outdated reddit post.
Edit: Woah, those replies are fast. I think I’ll use Bitwarden. Thanks for recommendations! Now I don’t need to worry about forgetting passwords anymore. 😄
Edit 2: It seems I’ve forgotten my email password as well as a few other accounts I haven’t logged into for a while. Damn, should’ve used a password manager earlier.
Bitwarden, self hosted.
+1 for Bitwarden here. One day I will go down the self-hosted route.
I have the server, just dont trust myself enough to cut the cord from BW servers.
I’ve put Vaultwarden online and have configured it to backup over the network through duplicity. Updates are automatic (I have a cronjob that just does docker pull/stop/rm/run without checking the error codes). No downtime so far!
It’s been a while since I’ve used the official Bitwarden server, but Vaultwarden is pretty much foolproof. It’s one of the easiest programs to self-host that I’ve come across.
Ah, you like living on the edge 😛
I don’t trust automated Docker updates… There can be breaking changes between versions. I don’t want my Docker containers to automatically break themselves :D
It’s a testament to Vaultwarden’s update policies, not to my amazing server practices!
You’re right that this is a terrible idea and it will inevitably bite me in the ass, but keeping up to date with a dozen of self hosted services is a faff and I’ll accept the 15 minutes of docker fuckery to revert the updates if it means I don’t need to remind myself to perform server maintenance.
Yeah, there’s a lot to be said for letting the hosting be done by people who know what they’re doing.
If I may, what are the requirements to make it self hosted?
The official Bitwarden server: 2-4GB of RAM, mostly because of the SQL server and all of the separate containers. Probably at least two CPU cores to prevent one process from lagging everything out. 12-24GB of storage.
For Vaultwarden, the Rust reimplementation of the backend server: I don’t know, about 128MB of RAM? It’s using about 40MB of RAM on my server. It’s using about a minute of CPU time per hour for my install. Storage requirements are “the size of the docker container plus some database files”.
Both: a TLS certificate (Let’s Encrypt) and as much free space as you plan on sending through their encrypted file sharing service. Also the storage and configuration for your automated backups, of course.
Vaultwarden isn’t audited and it takes longer to get all of the features because it’s a hobby project and not an enterprise company. Bitwarden is set up to easily scale to whole company/whole enterprise usage. Vaultwarden is set up for “you and your family” scale which probably works fine for larger scales but I don’t think it’s set up for it out of the box.
@skullgiver @speaker_hat I’m considering spinning up a VW server right now. Thanks for laying out the reqs!
How do you make the sever available via the Internet? Do you host it on a cloud provider (e.g. AWS EC2)? or do you self host on your own bare metal machine?
You can just open a port in the firewall/port forward a local server if your home ISP isn’t shit. If it is shit, you can run it in the cloud somewhere. I wouldn’t go with Amazon, they’re terribly expensive for hobby projects (who needs multi zone failover for a personal hobby project), any $5 VPS provider will do. Just make sure to install updates automatically so you don’t need to keep a close eye on maintenance and you should be golden.
Alternatively, if you don’t want to expose your server to the internet, you can set up a VPN server on your cloud server and only expose the password manager to your VPN. Wireguard is relatively simple to set up for this purpose, but tailscale (and whatever the self-hosted tailscale server is called) makes things even easier.
A cheap <$20/year VPS is sufficient to host Vaultwarden. No need to spend several times that. My Vaultwarden installation is only using 120MB RAM, so a 1GB RAM VPS would be more than sufficient. Take a look at RackNerd, HostHatch, GreenCloudVPS, and the other top providers on LowEndTalk. RackNerd’s latest sale has a VPS plan with 1GB RAM and 14GB SSD storage for $11.38/year: https://lowendtalk.com/discussion/186994/boom-boom-4th-of-july-deals-come-come-deals-freebies-by-racknerd, but I’d personally go with the 4GB RAM and 75GB disk for $47.88/year, since self-hosting is addictive and you’ll find plenty of other stuff you want to host.
(I’m not affiliated with any of these companies)
I would trust the absolute bottom of the barrel services with unimportant things like blogs, but I don’t want my password manager to be hosted there. It just feels too sketchy to me.
Given the prices of these VPSes, you could get two or three with different providers and have a warm standby in case of any issues.
RackNerd is legit though - a real company with a physical office. I’ve had some VPSes with them in the past, and only got rid of them because I wanted to consolidate a few things.
Look up “Vaultwarden”