The peace of mind in having all your sensitive data under your control is totally worth it.
I used to have some illusions that "if I self host, I am in control", and "if I don't connect my home infra to the internet, I am safe". Later I realized neither is true.
I can't trust all the consumer grade devices in my network, I don't trust a software just because it is open source. And I don't have time to keep up with all the security patches and do security auditing / vulnerability scan routinely...etc.
It is fine to self host hobby stuff for fun, but professionally managing sensitive data is a full time job.
An attacker can justify allocating a lot of resource to pwn bitwarden.com. If you manage to break into the vaults you're bound to find something juicy, just because of how large the target is.
Or you could decide to pwn me. Figure out where my bitwarden is hosted, what my config looks like, what mistakes I might have made setting it up, then maybe find a way in. Then it's just the start, since the passwords are encrypted on disk, so at best you have access to an encrypted sqlite database. Now you need to find a way to get me to leak my vault key. Maybe I sometimes use the web interface? Maybe not. Who knows.
After all of that you may realize that all of my passwords are either not super important or require some form of 2FA, therefore wasting your time.
But hey, you can log into my hacker news account!
Security through irrelevancy.
If you want to really get paranoid, pass it all through wireguard or ssh tunnels, but for bitwarden at least it's all client side encrypted anyways, you could probably run it on a very out of date system without issue.
The situation with Bitwarden is a bit different though. Secrets are encrypted on the clients, the server never sees decrypted data.
Personally I think hosting the server locally doesn't give much benefit because I'm more likely to screw things up than Bitwarden is on that front.
For example, one day a malicious maintainer could flip a switch that simply updates the docker image to send thousands of peoples’ entire vault somewhere and then disappear, no?
Btw the "custom server" setting is a bit hidden, it is behind the cogwheel in the upper left in most cases.
But that said, it is by far the best product despite this.
For personal, Bitwarden is much better. Browser plugins just work, android auto fill just works, passwords synchronized across devices, support for auto filling payment information. 2FA support.
bitwarden_rs bundles the upstream JS in its default containers, so it's the same code that you'd be running from bitwarden.com
I do see advantage of being cloud based as a way to avoid database conflicts (in my case 3 windows machines + mobile), but I wonder what can surprise me here. Is bitwarden's browser integration similar to KeepassXC (Keepass helper + KeepasXC-browser)?
Long story short - we use official Bitwarden and are paying for it and couldn't be happier. Bitwarden_RS looks like a cool toy, but I can't see any reason why anyone would run it. It's good for personal passwords, but Bitwarden itself offers free service so there's no need to venture down the self-hosted road.
[1]: Note that the Bitwarden desktop client has a major remote code execution vulnerability that the developer has closed WONTFIX, so I don't recommend running the stock one without patching that out (as well as the spyware they embed in it).
I can assume you are referring to... the automatic updater? https://github.com/bitwarden/desktop/issues/552
Edit: Noting that there have been discussions about the default number of iterations. https://github.com/bitwarden/jslib/issues/52
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
1) if you worry about people replacing the docker image you are using, build your own. It's not hard. Alternatively, use a specific version of the docker image by specifying the version or the hash (if you are really paranoid). Of course after you review the Dockerfile. Minimum at least glance through the Dockerfile.
2) bitwarden has import/export functionality (client side) so if your server disappears for whatever reason, you can still export your passwords from the client side.
3) if you don't trust the OSS code, audit it or at least look through it. That's the whole point of OSS. Build it from source if you must. File bugs. Look at the issue tracker. You can choose not to but if something happens it's your problem; not somebody else's problem.
4) The vault is encrypted and the server never handles or sees the decrypted content (see 3 to verify this). Other people's ability to break that encryption depends on you using a secure master password.
5) Or just pay Bitwarden to host passwords for you and rely on their terms of use, SLAs, support, good reputation, and what not. That's probably the best option if you want ass coverage for professional usage. Their pricing is very reasonable for small setups. And probably sharing passwords with a large group of users is just a spectacularly bad idea to begin with. A couple of key users, should cost you max 20/month. Not really worth dedicating devops time for self hosting unless you have a really good reason to. If you do, see 1-4.
Thats an outright fantasy, every day I rely on like 50 pieces of software written in 20 different languages and frameworks. They are updated multiple times a month. How many man hours would it take? 1000 a week?
Proffesional developers couldn't find heartbleed for years, you really think anyone would notice a hidden backdoor in software like this withing a year?
Unless you review the source code of everything you use, and compile it yourself, there’s always that risk.
What prevents Postgres mainteners to just still all your DB ? Nginx mainteners to redirect your web traffic ?
Ultimately, it boils down to a balance between trust in the author, the community or your own checking process.
Also this is only a risk if you use the provided Web vault. If you use the desktop, mobile or browser extension clients, it would require both Bitwarden LLC and dani garcia to conspire against you as the server doesn't control code those clients run and the API only provides it data in encrypted format.
Finally, if you're that worried you can pin the container version by hash and only update when you are confident in the new version
It's not fair to single out just Bitwarden IMO.
The real threat is that someone takes control of the bitwarden browser extension and pushes a malicious update.
That's why I don't use any KeePass extensions. I just don't trust browser enough to be able to get any of my passwords.
I'm thinking about writing my own extension which will communicate with KeePass in a way that suits me (basically: when I'm pressing button in browser, it'll popup KeePass window with search field filled with server domain. Then I can either auto-type password from KeePass or copy it to clipboard, either way I'm only using KeePass and browser extension have no way to get any information.
Then when you log into somewhere add another secret (which you keep in your head) to the end of the password you stored in Bitwarden.
Switch on 2FA everywhere you can.
Sleep at night.
It's a trust issue. I don't trust my passwords on someone else's server. I don't trust free services to remain free forever. I don't trust paid services to not increase the fees 4x over a few years.
The alternative to bitwardenrs or bitwarden/server is not bitwarden.com for me given the areas I'm concerned with, it's going back to KeePass + Syncthing.
I think the reticence to provide the group features in bitwarden_rs may come from being unwilling to too blatantly step on the toes of Bitwarden LLC by producing a $0 drop in alternative to their paid service. bitwarden_rs is open source and bitwarden/server is _mostly_ open source (Some SSO related features are not), so it seems worthwhile to get along and not need to fork the ecosystem.
They don't have your decryption key, therefore they save encrypted blobs and have no means to obtain your password. This takes care of trust issue - it simply is not an issue and never will be.
Even if malicious employee does something out of the ordinary or "hacker" gets the database, they still have the impossible task of breaking the encryption (which for all intents and purposes is impossible as of right now).
This returns us back to my starting point - there's *no objective* reason to use bitwarden_rs, apart from curiosity and/or convenience. I'm not saying it SHOULD not be used. We are all free to make choices as we see fit and don't need to justify them, however the reasons you listed are not reasons at all because the concerns you have don't exist.
It took a few seconds to add to my portainer (docker) server and now I host my vault and keep it safe within my LAN.
I don’t run the official Bitwarden server because its system requirements are much too high for my liking.
Meanwhile, bitwarden_rs uses ~24MB disk space, ~24MB RAM, and <0.03% CPU on my single-core Vultr box.
Oh yeah, one other practical reason I couldn’t/wouldn’t go with bitwarden.com’s free plan: I’ve got a few TOTP things in my vault, gotta pay for that.
Before installing the rust version I actually went through the code to check that it wasn't doing anything untoward; it wasn't a very thorough review, but it took a couple hours. Given the fact that you don't actually need to trust a Bitwarden server, I'm not too concerned about using an "unofficial" implementation.
— it's a native application (starts instantly on less powerful machines)
— can check your accounts against haveibeenpwnd.com database
— has full browser integration which works flawlessly IME
— can store SSH keys and work as an SSH agent
edit: it does not support synchronization, I misremembered. Sorry.
Each 'service block' is an encrypted file consisting of service name, service password (autogenerated), kv-store, some metadata for regenerating new passwords. The key to each service block is the hash of a primary password. The name of the 'service block' file is the hash of the service name. All of the service blocks are stored together in a folder that can be rsynced wherever.
My worry is obviously in the crypto. While I'm not doing anything too fancy I worry about timing attacks because an attacker will have the full encrypted block so the system is vulnerable to that sort of thing.
Writing them down in a notebook next to your computer. A homebrew system like e-mailing GPG-encrypted files to yourself. Your browser's built in password saving and sync features. A password-protected Excel spreadsheet on your dropbox.
Compared to a notebook, I can access my passwords from my phone if the need arises, and they're encrypted and backed up should I lose my phone.
Compared to a homebrew system, someone else has done the work and made a cross-platform system with nice browser extensions, sensible defaults, and so on.
Compared to my browser's sync features, there's peace of mind because it's not a free feature from a corporation famous for nonexistent customer service and sketchy tracking practices.
Compared to dropbox, the price is trivial (as they only have to store a few kilobytes of data) and it's focused on security.
EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.
I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.
I'd absolutely use KeePass for a long term storage password vault (with appropriately obscure reminders so I could recall the password), but the ecosystem of many unofficial free implementations for integration into browsers, phones (IIRC), etc. makes me twitch.
Instead of a salt, which is random for each entry and has to be stored along the hash, one single pepper is added to each password before hashing and kept secret.
Most people choose to trust certain software providers based on their reputation. But if you have serious doubts and you don't check, that would be your problem.
Whining about an open source project maybe being insecure basically means either check it or don't use it. Nobody is twisting your arm to risk your passwords on some wonky self hosted setup. Your problem if it blows up in your face. That's also what it spells out in a typical OSS license (that would be the section talking about limited liability). That's another thing people tend to not check that they probably should pay some attention to. Using the software means accepting that it's your responsibility.
If like most you are unable to make a sound judgment on this front; consider paying a service provider providing you a service. That would be Bitwarden in this case. They kindly provide a free version even. Easy choice IMHO.
Heart-bleed slipped through the cracks for a while and then certain software providers lived up to their reputation by providing fixes in a timely fashion. And certain others messed up by not doing that. I care more about how developers act when something like this happens than the fact that it happens.
OSS software providers are no different than other providers when it comes to trust. Except you have the option of looking at their code. Lots of people doing that builds trust. I tend to look at things like number of stars, commit frequency, and other things when deciding to use a random Github thing. When it comes to software that is safety critical, I prefer the scrutiny of an active community of developers. That just increases my level of trust.
IMHO Bitwarden's trustworthiness just went up by virtue of there being multiple implementations of the thing and apparently a growing community of users and developers depending on these things. I'm already using it and vastly prefer this over some closed source solution with opaque development processes. I probably would not self host but it is nice to have that option available.
It is a choice to obey the law of gravity? Because Its physically impossible for one person to check all security critical code they come in contact with even if they know every single programming language and have a Phd in cryptography. So stop with the accusatory language about 'whining' and pontification about choice.
Sure they do. The web vault. Plenty of functionality isn't available anywhere else.
You've only attempted to address 1 of 3, and the other reply indicates that there is absolutely attack vectors from bitwarden.com if bitwarden LLC wanted to, was forced to, or was compromised.
Switched to Bitwarden instead.
If you're going to host services as home such as your password manager, set up a WireGuard VPN, you can use a Pi and it'll be perfectly sufficient, leave only the VPN open on the internet, VPN in from your phone, laptop, whatever for anything you need access to, and you don't need to rely on Nextcloud or Bitwarden having vulnerabilities discovered in them.
I was using Nextcloud previously for password sync because my password manager needs WebDAV, it was too much to maintain so I wrote a small server in Golang using the WebDAV library and it sits behind NGINX which handles the auth. I run Minio (S3 compatible) for syncing our family photos from our phones and Folder Sync app on Android. They both run on a VM and write out to a ZFS pool.
I have a Pi 3B+ running Raspbian mounted read-only as a WireGuard VPN for remote access, and we use the official WireGuard app. VPN is always on because we have fast, symmetric fibre, and we don't need to worry about trusting public networks.
I've had my Raspberry Pis kill dozens of SD cards over the years, so read only can helas for updates, I manually remount read/write when I do maintenance and then remount read/only again when I'm done.
Bitwarden clients have the same UX across OSes and platforms ( browser extension, mobile app, thick client". The thick clients are indeed Electron based.
I'm actually a bit confused by 'the same UX across OSes'. What does this mean? The mobile UI is completely different to the desktop apps and web app.
Props to the Bitwarden guys for fixing the only thing that really bothered me with the UI.
...or they have to do it because of the NSA and weirdly 99% of users don't care or don't have the means to do anything about it.
Companies aren't trustworthy, they are bigger targets but also targets with thicker armor.
I just go with the offline route, KeepassXC runs well enough for me and is compatible with phones. I need to handle data sync myself but it's not like I change or add new passwords every day.
And all of the above are very good plausible deniability excuses, such that this single developer could, after all, be malicious and still not loose his reputation simply by claiming he got targeted by a 3rd party.
Let that sink in: a single developer and their PC is a gatekeeper of everyone's safety.
By the time that dialog box is displayed, the application has already replaced itself on disk (with code chosen arbitrarily by the bitwarden developers, or anyone in possession of their credentials), and the new code will be executed automatically without user intervention the next time the app is launched, which happens automatically if the computer is rebooted (like if there is a momentary power failure, or you hit "okay" on an OS update, or your battery dies and later you plug it back in to power).
This grants the developers (as well as anyone who can compromise their credentials) unlimited remote access to your entire password vault the next time you unlock it.
A simple "I'm not comfortable with code on my machine being updated remotely without my approval, because I believe an attacker could infiltrate the supply chain" explains the problem you're having more precisely and turns into a simple feature request (turn off the auto-updater - which is already possible, as documented in that thread!) rather than trying to convince an entire industry that a commonly accepted practice (installation of signed remote updates) amounts to 0day RCE by putting them on the defensive.
https://github.com/bitwarden/desktop/issues/552#issuecomment...
And these are just for the integrity of your _encrypted_ data. There are a lot more to do to fully secure your home infra in general. How do you secure your wireguard client key on the go? Do you monitor access logs? What about Guest Wi-Fi access, vlan separation...
I don't know if worrying about all these considered being paranoid. End of day it's about risk management, and personally, the benefits of selfhosting does not justify the effort I will need to put into maintaining it.
The server does not see the domains you have passwords for. The following data are saved in plaintext:
- A list of "equivalent domains" (this starts out with a default list, but individuals can change this). This totally can be used to deduce which websites you have an account for, but that's not really enough information, as most websites will not have an entry here.
- Some metadata such as your email, master password hint
- Most of the boolean values (mfa enabled, email verified, premium)
- Custom field types (types only, field name, and value are both encrypted)
- Revision date
- Bunch of UUIDs
Here is what a single password entry looks like when retrieved from the /sync endpoint, which happens before decryption: https://pastebin.com/FLr19qiN
> You have to trust the server also if you use the web client because the web client is loaded from the server.
This is true! However, the android app, cli, and other clients do not get loaded from the server, thus, in theory, you can inspect the source of them, possibly compile it yourself, and use that. In those scenarios you do not have to trust the server.
I once had to re-do a Drupal install because it was very likely already being abused. Would have liked immediate auto-update in that case. Ah well.
Ultimately, though, they could just ask. Most users probably want autoupdate, and they can opt in to that if they so desire. It's really a matter of consent, and forcing decisions down users' throats.
Most people probably don't understand or believe that they are granting these applications' vendors permanent remote access to their computer.
Honestly, I wish it were only a matter of trusting the developers. Unfortunately, it's a matter of trusting the developers, anyone from anywhere in the world who can compromise their keys/credentials, and anyone in meatspace who can coerce them to misuse those keys/credentials (such as military, police, et c). That, it turns out, is a rather large set of people, especially when you factor in the number of state level actors from every country big enough to have an intel agency sufficiently competent to own some small software house full of c# weenies running windows (the bitwarden devs).
If the goal is to prevent the most volume of exploitation, autoupdaters clearly win.
Or, you know, in a Docker container...
I build pretty much everything that's not C/C++ and/or Go using a Docker container now.
When you're working in a team, it's also an amazing way to share the build environment
Of the ones that didn't, very few had working install documentation and I wasn't going to fix it for them just to try out their product. I did open issues on their trackers about it for them, not that they cared since nothing has been done.
Bitwarden_rs was the one that had working install documentation that didn't require a build environment. It met our requirements in testing, so I deployed it to production.
Those are RCE vulnerabilities, as well. Platform vendors love being able to execute whatever they like on the advertising consumption devices that don't belong to them.
Just because it feels like a different thing because it's the vendor (only in theory - TAO would like to have a word with you) doesn't make it any less a vulnerability, or any less an RCE by the strict definition. Installing the client is equivalent to installing a RAT onto your machine: it can be remotely controlled to execute any code or tools the other end wants.
I get where you are coming from, but you clinking "update" in stead of the dev does not guarantee the safety of the update.
I run a private fork of the bitwarden client, anyway. Their stock one partially trusts the iteration count of the PBKDF provided by the server, and can be tricked into sending a low-iteration hash of the master password.