I am looking into password managers, as number of my accounts are increasing. Currently I am weighing two options:
- Host Vaultwarden on a VPS, or
- Use the free bitwarden service.
I want to know how they are in practical aspects.
While I am fine self-hosting many services, password managers seem to be one of the most critical services that should not admit downtime. I surely cannot keep it up, as I need to update it time to time.
On the other hand, using bitwarden might require some level of trust. How much should I trust the company to use the free service? How do I know if my passwords would be safe, not being exposed to the wide net?
I want to gauge pros and cons, are there aspects I missed? How are your opinions on this? If you are self-hosting vaultwarden, how do you manage the downtime? Thanks in advance!
Vaultwarden allows a bit of downtime, the vault is cached by the clients
When the server is not reachable, no writes are allowed
The bitwarden vaults themselves are encrypted with your password. So I’m not sure what there is to not trust with bitwarden, as even if files were stolen, they are encrypted so they’re largely useless.
I pay for bitwarden premium because it supports the development of a good open source project.
Edit: fixed phrasing given suggestion below
It’s important to specify that the items are encrypted using a key derived from your password, so Bitwarden themselves don’t have access to your passwords even if they wanted to.
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
Since they handle redundancy and backups I think it’s fine staying with them (+ great product)
This. I love self hosting services, but anything that I 100% can’t live without isn’t one of them. Because I don’t have the funds for proper redundancy/high availability, and my backup practices at home are… Not ideal. I’ve had a couple brushes with data loss due to gaps in backups, lack of monitoring for impending hardware failures, and had 2 disks suddenly die together in a raid array, all in over a decade of self hosting.
I have cold backups of most of my critical services, but they’re not nearly regular enough for me to trust my passwords to myself.
I enjoy self hosting, but what tipped the scales for me in favor of using Bitwarden’s servers is that I’m 100% confident I’m not as good as hardening my system from being compromised as they are. The vault is going to be encrypted anyway, and I think there’s a lower chance of it falling into the wrong hands if it’s hosted with Bitwarden. Same reason I don’t self-host email.
Plus Bitwarden is a cool company and the product is open source, and the premium features are unreasonably low priced.
One little bonus for using Vaultwarden is that you get access to premium features for free. But still, I put availability much higher when it comes to password management, so I would go with paid Bitwarden. That is what I did before moving to Keepass.
I second Vaultwarden, have been running it for a few years and even had a catastrophic host failure that I recovered from. was able to use the clients on both phone and laptop while building new host
There is a backup image you can run to take backups of the SQLite DB, used that a few times as the DB got tangled.
Also anything you host should have a good 3-2-1 backup strategy
Just a PSA for anybody reading the thread, though it doesn’t really help with the question at hand… On the very slim chance that your workplace uses Bitwarden Enterprise it’s worth knowing that every licensed user gets a free family plan that can be tied to an existing personal account, provided it’s hosted in the same region.
We do use it but very few of our own users are even aware of the perk so I like to spread it around when I get the chance!
