Well, what I have done is this analysis:

1. If for some reason a state-based actor takes interest in me, I'm boned no matter what I do. I wouldn't trust any hosted service in that circumstance and that includes the service I'm running Vaultwarden on. My vault isn't even what they'd necessarily attack; they'll go straight after my bank and straight after my other high-value accounts and there's nothing I can do about that either.

2. My self-hosted Vaultwarden setup will defeat any random scanner and the majority of random Joe Schmoe Hacker guys. In principle it even defeats a casual insider on my hosting service because just grabbing a disk image actually shouldn't help them much; they need to compromise Vaultwarden (not just the OS generally, Vaultwarden specifically) somehow, and probably actually my Vaultwarden client too.

The rest of your concerns hypothesize a class of attacker I think borders on, but is perhaps not quite, nonexistent. I'm not really concerned about the super-skilled hacker, who is limited to only my vault as their attack vector, and apparently has very fresh if not zero-day vulns that they are willing to deploy against me and specifically me, only me, their payoff for their personalized and specialized hacking effort is just that they get specifically my (encrypted) vault and nobody else's. That is a very specific level[1] of interest in me this hacker, that is not defeated by my current setup, but is defeated by what you outline, has in me.

Edit: Actually what makes me the most nervous overall is compromises of the client, not the self-hosted server I run. For practical purposes 100% of my risk in this setup is there.

[1]: https://www.shamusyoung.com/twentysidedtale/?p=55166

My setup is this: drop all traffic except 80 and 443, autoupdate, Backup the Container-Volumes to Backblaze with restic.

I got hacked less often than 1Password or Okta, so I guess I am on par with the professionals, afaik (I give you that) :)

You posed it as a joke, but it's quite true: the "real deal" professionals get hacked frequently. Doing the barebone basics will protect you from 99% of the crap out there.

As another poster mentioned, if some state-based actor gets interested in me, I'm hosed no matter what.

An important part of security is threat assessment and worst case analysis.

If the cost of your security policy is greater then the cost of a worst case compromise then you are probably over investing in security.

With that in mind, does your policy seem appropriate to a user securing their Facebook password? Or their homelab service accounts?

*Cost in this case being the combination of literal currency and subjective costs like time/emotional well-being/public perception.

Is that the type of thing that people self-hosting a password management server are trying to secure?

In that case, it's extra silly. Is the cost of setting this up and maintaining it at all worth securing your Facebook password?

For me it is worth it to host a password manager for me and my family, although I just did a one-click install on Digital Ocean (using Bitwarden, not Vaultwarden ... so far).

To me (and I'm pretty ignorant about this stuff), the biggest weakness of a password manager is that it's the one link in a chain that somebody needs to break to have all of my passwords. Hosting that at bitwarden.com or lastpass.com or whatever makes it an even sweeter target because those are known targets. At least self-hosting makes it more difficult for somebody else to find my password manager.

Moving to Vaultwarden has its complications but it would also be fun, and maybe a cool project for the kids. And like you say, if we screw up and they lose their instagram password they won't even remember the pain once they've all grown up and the world is a dystopian nightmare of climate catastrophes, wars, etc. They'll be busy looking for the fattest grubs to eat.

We like to host stuff :) If I am faithful to myself I might be paying more than I would if I wouldn't self-host

You shouldn't feel bad about that, because that money isn't lost, you just used that money to buy enjoyment which is valuable as well.

And that is without even accounting for the amount of knowledge and experience gained by self hosting.

You’re really, really sure your hosted provider does all of that correctly, right?

The vault is client side encrypted so it doesn't actually matter. My host provider could be the robot devil living in North Korea and it wouldn't matter, that's literally the defined purpose of encryption, secure communication across adversarial channels.

I don't really understand why people bother with this security theater, all the self hosting is completely redundant.

I don't self host because of "security theater". I do it because I want to control my data and not be at the behest of a third-party to resist the siren song of enshittification.

1) I’m going to go out on a limb and guess Lastpass, Okta, et al., WERE and ARE SOC2 type II certified. Didn’t stop them from getting breached.

2) SOC2 is defined by the American Institute of Certified Public Accountants. That it is held up as some sort of exemplary cyber security standard is absolutely ridiculous.

> So long as you can sue them for your full damages when it goes wrong.

Generally, you cannot.

And to add to that: suing someone for damages does not undo any damage.

Your identity is still stolen, your private photos leaked, your company destroyed, etc.

The whole point of saas is someone the CTO can blame when things go wrong.

Doesn't matter if the downtime is higher, doesn't matter if there are more succesful attacks.

If a CTO goes in-house, they carry the risk. If they outsource it to a vendor, especially one with a Gartner report, they can play golf and not risk their bonus.

Or, you might pay an insurance company to cover you for the risk - and so long as you have the right attestations from your SaaS providers, your insurer pays out in the event of a problem (and maybe goes after the SaaS if they feel the need to).

I’m sure you signed an arbitration agreement

> That's the whole point of SaaS isn't it?

Pretty sure the entire point of SaaS is that sweet recurring revenue.

The bigger risk is likely your client, which might even be inside your browser, gets hacked / compromised. And that is the same regardless if you self-host.

+1 on this... With Bitwarden clients in particular, it's also the only place your data is running decrypted.

My vaultwarden server is behind a vpn, so I just don't need any security measurements at all :)

Yeah, so nice to just have it on the tailnet as https://vaultwarden

That said, I got a Proton family account and switched, in Proton Pass it is much more intuitive and easy to share with family (just say: share this folder with that fam member, read or read/write), since you don't need the whole "Organizations" layer needed in Bit/Vaultwarden (which also has it's ups, I know). Happy to report that Vaultwarden exported everything nicely to .json and importing into Proton Pass was flawless.

I also find Proton Pass to be a bit more helpful in associating urls with credentials, + I now use the 1 alias per login (each credential set has a unique email address) without any effort, Vaultwarden can't do that (yet? Although seems complicated to implement), only (paid) Bitwarden I guess.

I don't currently self-host Vaultwarden, though I do have quite a few services running on my home server.

I lean on Tailscale to avoid exposing the server to the public internet. That doesn't handle the backup and restore concern, but unless I'm missing something I should be pretty well mitigated on network security issues since I avoided firewall and port configuration all together.

For personal use, why bother with this instead of something like Strongbox syncing to a cloud drive?

Well, first off, Strongbox is Apple specific, and I don't use Apple devices. Second, it does not appear to be 100% open source, though it is based on some open source code from KeePass.

So the real question for me would be why not use KeePass, which is what I used before switching to Bitwarden. I switched because at the time, Bitwarden had better clients, better integration with Android and Firefox. That situation has changed some since, but I haven't had any good reason to switch back.

Aye, this has worked very well for me. Keepass file stored on google drive. Can open on PC, iOS, Android, etc.

Do you backup your Google Drive?

I wouldn't use this because six months from now this very well meaning developer may sell the company to a buyer who ends up being less scrupulous. You're one update away from losing control of your entire digital life.

You can export your tresor

When you post on HN, you also do the following, right?

- Build a straw man argument

- Act like all threat models are the same (distributed vs. centralized password store, for example).

My threat model: I don't want for-profit entities to have my money or any more recognition through my using them.

Based on that, the rest of your comment is useless fearmongering