Password managers

Bouton Aide said:
I just moved over my docker container to the new vaultwarden. There's a new admin panel by going to /admin and you get loads of settings you can configure.
Click to expand...

The admin panel has always been there. :) A lot of the settings are already exposed as environmental variables in Docker/Compose but there's a fair few that aren't.

Edit: You're strongly recommended to generate a *very* secure string/phrase for the admin interface. You can use openssl or /dev/(u)random to help.

Code: 
</dev/urandom tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' | head -c 64  ; echo
Code: 
openssl rand -base64 64

I save mine in (ironically) Vaultwarden with a baseurl as 'starting with' bw.my.domain/admin so it only shows for that single page, and is encrypted at rest (and on the server) should it be compromised.
 
Last edited:
Hey guys, using Vivaldi as main browser, whats the go to right now for password managers, I see you guys talking about bitwarden but also mentioning using a nas to store the data(which I don't have), still the go to without that?
 
gamerkurisu said:
Hey guys, using Vivaldi as main browser, whats the go to right now for password managers, I see you guys talking about bitwarden but also mentioning using a nas to store the data(which I don't have), still the go to without that?
Click to expand...

Yeah. You don't need to self host. Syncing works pretty well by itself and is free.
 
gamerkurisu said:
Hey guys, using Vivaldi as main browser, whats the go to right now for password managers, I see you guys talking about bitwarden but also mentioning using a nas to store the data(which I don't have), still the go to without that?
Click to expand...

HACO said:
Yeah. You don't need to self host. Syncing works pretty well by itself and is free.
Click to expand...

To clarify... Bitwarden is a password manager with a free tier and a paid tier (£10 a year or something). The free tier saves your passwords and syncs them, fully encrypted, to 'the cloud'. The paid tier allows you to use 2FA/OTP one time codes, Family and Enterprise features etc. When self-hosting, the open source project Vaultwarden (recently renamed from bitwarden_rs) allows you to run a fully fledged Bitwarden service on your own local machine, so you're no longer storing your account in Bitwarden's own 'cloud' (their servers), but rather your own. That can be a NAS, a server or any always-on machine.

The advantages of self-hosting are (1) complete control over your data (and whether or not you lose it!), and (2) you get all the paid features free.
 
I've used 1Password, LastPass and Dashlane. I found 1Password to be the best for me. It's the easiest to organise and the browser extension works pretty flawlessly for me. I also like that they have a lot of different types of presets, so you can organise your records into simple user/pass combos, server access details, payment cards, user profiles etc.
 
Rainmaker said:
To clarify... Bitwarden is a password manager with a free tier and a paid tier (£10 a year or something). The free tier saves your passwords and syncs them, fully encrypted, to 'the cloud'. The paid tier allows you to use 2FA/OTP one time codes, Family and Enterprise features etc. When self-hosting, the open source project Vaultwarden (recently renamed from bitwarden_rs) allows you to run a fully fledged Bitwarden service on your own local machine, so you're no longer storing your account in Bitwarden's own 'cloud' (their servers), but rather your own. That can be a NAS, a server or any always-on machine.

The advantages of self-hosting are (1) complete control over your data (and whether or not you lose it!), and (2) you get all the paid features free.
Click to expand...

The free tier also allows you to use OTP/2FA using Authy or such like. Just want to make sure people understand you don't have to pay for 2FA.


M.
 
m4cc45 said:
The free tier also allows you to use OTP/2FA using Authy or such like. Just want to make sure people understand you don't have to pay for 2FA.


M.
Click to expand...

No, there's myriad free apps for OTP... but if you want the OTP integrated into Bitwarden (which is half the convenience factor of having a password manager, it's all in one) then you have to pay. Hence why self hosting is useful, and why I run my own instance. All features included for free, because it's FOSS, and that gives me full control over my own data. As I said, just something to bear in mind.

Screenshot-2021-06-12-at-1-09-39-pm.png
 
Sorry misread - yes it's convenient to have the 'press a button on your phone' but you can still have non-integrated OTP to log in to Bitwarden which is the bit you really want a OTP on.

The problem with self-hosted is you have to back it up - if you're backing it up you want it encrypted and you need to hold the encryption key somewhere in case of a total loss. If your site goes down then you can, potentially, be in a very bad place where by you can't get to your passwords.



M.
 
m4cc45 said:
Sorry misread - yes it's convenient to have the 'press a button on your phone' but you can still have non-integrated OTP to log in to Bitwarden which is the bit you really want a OTP on.

The problem with self-hosted is you have to back it up - if you're backing it up you want it encrypted and you need to hold the encryption key somewhere in case of a total loss. If your site goes down then you can, potentially, be in a very bad place where by you can't get to your passwords.



M.
Click to expand...

My second factor to log in to *warden is my YubiKey.

As for losing your files or key, you'd have to be a moron, in which case self hosting anything at all (even your documents) isn't for you. The *warden database is already encrypted (else Bitwarden wouldn't be encrypted), you just need to store a copy elsewhere as a failsafe. I have my vaultwarden running in Docker on my NAS, which is the primary active instance and database. Every 12 hours, cron on the NAS runs a script to back up the encrypted file to (1) my rclone encrypted pCloud storage offsite, and (2) a secondary ed25519 SSH key encrypted offsite backup. If my NAS ever exploded, I have a copy of the database on (1) all devices currently logged in, (2) on pCloud, (3) offsite backup and (4) monthly hard backup to a dedicated drive. It's not getting lost. :p
 
m4cc45 said:
Sorry misread - yes it's convenient to have the 'press a button on your phone' but you can still have non-integrated OTP to log in to Bitwarden which is the bit you really want a OTP on.

The problem with self-hosted is you have to back it up - if you're backing it up you want it encrypted and you need to hold the encryption key somewhere in case of a total loss. If your site goes down then you can, potentially, be in a very bad place where by you can't get to your passwords.



M.
Click to expand...

There is both pros and cons of both cloud hosted and self hosted. Indeed you need to keep the server backed up but once a week or so I just export it to cloud instance so I don't lose to much if I need to restore. My container data is also backed up via duplicati to mega.nz twice a day and also a local copy of data on a 32gb usb pen.
 
Thought I'd give Vaultwarden a go to see how it compares to KeepassXC. Sadly I can't get this working properly at all on my Unraid server as I only want it running locally (no reverse proxy) and it requires HTTPS to work. I've installed Caddy, created an OpenSSL self-signed certificate, edited and re-edited the Caddyfile based on various internet searches and, while Caddy is running, it doesn't seem to be doing anything at all.
 
Last edited:
Infidelus said:
Sadly I can't get this working properly at all on my Unraid server as I only want it running locally (no reverse proxy) and it requires HTTPS to work.
Click to expand...

So you don't want it Internet accessible at all? Just enable Rocket, the inbuilt TLS, and use a self-signed or LetsEcrypt cert. If it is going to be Internet accessible (even limited to your own whitelisted IP), you can use Cloudflare to proxy the traffic and enable HTTPS and leave Vaultwarden running locally with no further TLS/SSL setup enabled. As mine's on a NAS which has an existing nginx reverse proxy, I have it running in Docker without https. It doesn't need it, as the proxy handles TLS for it. In the past I have had it running in HTTPS mode using the inbuilt Rocket, but that just added needless overhead as the vaultwarden instance isn't directly public facing anyway.

Here's my (non HTTPS) docker-compose file in case it helps you any. As I said, for the full features you'll still need Cloudflare, nginx, Caddy or similar to act as a https frontend:

Code: 
version: '3'
services:
 vaultwarden:
  image: vaultwarden/server:latest
  container_name: vaultwarden
  restart: unless-stopped
  volumes:
      - /docker/vaultwarden:/data
  ports:
    - 80:80
  environment:
   PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
   ROCKET_ENV: 'staging'
   ROCKET_PORT: '80'
   ROCKET_WORKERS: '10'
   SMTP_AUTH_MECHANISM: 'Login'
   SMTP_FROM_NAME: 'Vaultwarden'
   SMTP_HOST: 'smtp-mail.outlook.com'
   SMTP_USERNAME: '[email protected]'
   SMTP_FROM: '[email protected]'
   SMTP_PASSWORD: 'abcde123'
   SMTP_SSL: 'true'
   SMTP_PORT: '587'
   PGID: '100'
   PUID: '1000'
   ADMIN_TOKEN: 'ABCDEFG'
   DOMAIN: 'https://bw.my.domain'
   TZ: 'Europe/London'
   LOG_FILE: '/data/vaultwarden.log'
   SIGNUPS_ALLOWED: 'true'
 
Infidelus said:
Thought I'd give Vaultwarden a go to see how it compares to KeepassXC. Sadly I can't get this working properly at all on my Unraid server as I only want it running locally (no reverse proxy) and it requires HTTPS to work. I've installed Caddy, created an OpenSSL self-signed certificate, edited and re-edited the Caddyfile based on various internet searches and, while Caddy is running, it doesn't seem to be doing anything at all.
Click to expand...

If its any help this is how I setup my non-public facing, local TLS/HTTPS Vaultwarden instance (previously BitwardenRS) on Unraid:

1. Bought a very cheap domain name from namecheap.com
2. Signed up with DigitalOcean DNS service and got the TLS api key (Cloudflare is another option)
3. Installed LinuxServer/SWAG docker on Unraid, with "Subdomain" variable set to "wildcard" and "Validation" set to "http" for the time being
4. Once the container was up, went to cache/appdata/swag/dns-conf folder and updated the digitalocean.ini file with the api key
5. Went back to edit the SWAG container and set "Validation" variable to "dns" and "DNS-Plugin" variable to "digitalocean"
4. Restarted the container and checked logs to see "server ready" message
5. Setup a local CNAME record in my local DNS server AdGuard Home (you could also do this on PiHole/Windows "hosts" file/maybe your router as well) so that the domain name points to the corresponding IP of SWAG on Unraid
6. Entered the domain name in browser, got the deafult SWAG page with Let's Encrypt TLS/HTTPS
7. Installed vaultwarden/server:latest docker container on Unraid
8. Updated bitwarden.subdomain.conf file under cache/appdata/swag/nginx/proxy-confs so that pass.(sub domain) points to the vaultwarden docker, restarted SWAG container
9. Updated the local CNAME record again with the subdomain "pass.(domain name)" so that the this also points to the corresponding IP of SWAG on Unraid, same as step 5.
10. Entered pass.(domain name) in browser, got the Bitwarden page with Let's Encrypt TLS/HTTPS

No port-forwarding was done in this scenario and only way to access this local instance from outside would be through VPN.
 
I actually got this running today. I had to tinker around a bit as I have a mail server (Mail-in-a-box) running on a VM in Unraid which is obviously internet facing with appropriate port forwarding. I've repointed ports 80 & 443 temporarily, then installed SWAG after watching SpaceInvader One's tutorial. It's been a bit of a faff and it's broken the web interface for my MiaB server, which I'm struggling to configure reverse proxy settings for in SWAG, but I have had time to look at Vaultwarden now. The GUI is prettier than KeepassXC (unsurprisingly) but I don't think it adds anything that I don't already get and the context menu isn't as good (IMO) as the KeepassXC browser. I feel like I'm having to click more times to get things done, especially with TOTP.
 
Infidelus said:
II feel like I'm having to click more times to get things done, especially with TOTP.
Click to expand...

If TOTP is enabled for a given login/domain, the code will automatically copy to clipboard when the login is filled. Just click to login from the user/pass screen, and then paste into the OTP box and it should paste the valid code. No clicking required.
 
You must log in or register to reply here.
Back
Top Bottom