Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is it safe to self-host a password manager on a VPS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is it safe to self-host a password manager on a VPS?

hostnoobhostnoob Member
edited December 2022 in General

I don't know how they work exactly.

Let's say someone gains access to the server due to an exploit or the , can they access the passwords? I assume they're encrypted, but they have to be decrypted at some point right?

Or are they decrypted on the local device with the master password, and all the server does is keep all of the devices synced?

I've always been sceptical of them in case of passwords being leaked, but reading about LastPass and it's "zero knowledge" model has got me thinking

Also, is BitWarden the best?

Thanks

Comments

  • If it's encrypted with a modern standard it should be safe

    Thanked by 2hostnoob ehab
  • Depends on your risk profile.

    If you want to be ultra safe don't use a password manager on a VPS or for the matter any cloud service. But for the 99% a proper password manager is safe enough.

    Thanked by 2hostnoob nick_
  • jmgcaguiclajmgcaguicla Member
    edited December 2022

    They're decrypted locally, only encrypted blobs fly through the wire, so you could theoretically transmit those even over plain HTTP and still not have to worry about people peeking into your garden (they can look but they can't make anything out of what they're looking at).

    At least, that's what zero-knowledge should be, I've seen some file hosts misuse this term when not only does their app send keys to the server, they also store it.

    SaaS BitWarden is essentially an encrypted blob file storage provider, all heavy lifting is done by the client.

    Thanked by 1hostnoob
  • hostnoobhostnoob Member
    edited December 2022

    So if it's encrypted with a strong standard, it's pretty safe if anyone were to gain access to it?

    I guess the risk would be if someone gained access to the server and set up a malicious service to steal the password or something like that?

    Edit: So Server contains db001 (i.e. revision 1) which is empty.

    I add a password on my PC and it becomes db002 and syncs it to the server, then that syncs to my phone and I can get my password? Then if I add a password on my phone it becomes db003 and that gets sync'd to the server and other devices?

  • jmgcaguiclajmgcaguicla Member
    edited December 2022

    @hostnoob said:
    So if it's encrypted with a strong standard, it's pretty safe if anyone were to gain access to it?

    Yes, barring someone breaking the crypto used of course.

    I guess the risk would be if someone gained access to the server and set up a malicious service to steal the password or something like that?

    They can't steal the password as the client doesn't send it out. At best, if they manage to MitM you and insert their own fake server they would still just be receiving a blob of garbage when you sync your vault.

    If the client itself is hosed, it's game over.

    Thanked by 1hostnoob
  • emgemg Veteran

    If the security architecture/design and its implementation are sound, then your data should be secure today.

    Speaking for myself, I would never store a password vault on the internet. If you think about it, it contains all the keys to all my kingdoms.

    Even if the security architecture/design is sound today, you never know whether someone may find a way to break it in the future.

    A worse problem is that nobody writes bug-free code. You never know when a bug might reveal a vulnerability that leaves your data unsafe. If companies wrote secure bug-free code 100% of the time, we would not have to update and patch our systems so frequently.

    Here is an example where encryption failed over time, the Data Encryption Standard (DES):

    The Data Encryption Standard (DES) encryption algorithm was treated as a "munition" (military weapon) by the US Government for export purposes. Products that included DES required an export license from the government. Web browsers like Internet Explorer came in two flavors:

    • An export version that omitted DES and other strong algorithms with keys longer than 40 bits.
    • A US version for "domestic" customers in the US that included "strong" algorithms, such as DES.

    How much sensitive government data was encrypted with DES back in the 1970s and 1980s? The people who encrypted that data back then thought it was secure.

    ... until it was not. Today, DES is considered broken and is no longer used. Anything that was encrypted with DES is vulnerable. It is as simple as that.

    Thanked by 1Val
  • @emg said:
    If the security architecture/design and its implementation are sound, then your data should be secure today.

    Speaking for myself, I would never store a password vault on the internet. If you think about it, it contains all the keys to all my kingdoms.

    Even if the security architecture/design is sound today, you never know whether someone may find a way to break it in the future.

    A worse problem is that nobody writes bug-free code. You never know when a bug might reveal a vulnerability that leaves your data unsafe. If companies wrote secure bug-free code 100% of the time, we would not have to update and patch our systems so frequently.

    Here is an example where encryption failed over time, the Data Encryption Standard (DES):

    The Data Encryption Standard (DES) encryption algorithm was treated as a "munition" (military weapon) by the US Government for export purposes. Products that included DES required an export license from the government. Web browsers like Internet Explorer came in two flavors:

    • An export version that omitted DES and other strong algorithms with keys longer than 40 bits.
    • A US version for "domestic" customers in the US that included "strong" algorithms, such as DES.

    How much sensitive government data was encrypted with DES back in the 1970s and 1980s? The people who encrypted that data back then thought it was secure.

    ... until it was not. Today, DES is considered broken and is no longer used. Anything that was encrypted with DES is vulnerable. It is as simple as that.

    I agree, but one might say that you can just regenerate all your passwords regularly (as recommended anyway) to work around this issue.

  • ArkasArkas Moderator

    @emg said: Speaking for myself, I would never store a password vault on the internet. If you think about it, it contains all the keys to all my kingdoms.

    What are the chances that you will be singled out from the million possible targets for a breach in data security? Having said that, I do use a secure cloud based password manager, but not for ALL my passwords :smile:

  • @Arkas said:

    @emg said: Speaking for myself, I would never store a password vault on the internet. If you think about it, it contains all the keys to all my kingdoms.

    What are the chances that you will be singled out from the million possible targets for a breach in data security? Having said that, I do use a secure cloud based password manager, but not for ALL my passwords :smile:

    u use a self hosted one or like lastpass?

  • "Is it safe to self-host a password manager on a VPS?" - NO!

  • emgemg Veteran

    @Arkas said:

    What are the chances that you will be singled out from the million possible targets for a breach in data security? Having said that, I do use a secure cloud based password manager, but not for ALL my passwords :smile:

    My response is:
    The chances are very low that I would be singled out from the million possible targets. (Allow me to point out that if I were a high value target, my answer would be the same, right?) Your point is correct, but does not address my concerns.

    The problem for me is that once my encrypted vault is up on the internet, I can no longer be certain that it remains under my control. Without that assurance, by definition the security of my passwords is dependent on the security of the password manager product that I am using.

    There is also the threat that my encrypted vault may be recorded, copied, and distributed by others. This threat means that an attacker can take vaults and work on them offline, using tools and methods that may not be available through the vendor's interface and the risk of detection. People with access to your encrypted vault include password manager company employees, who may be vulnerable any number of government threats, offers to cooperate, or other temptations.

    Furthermore, there is the long term threat. So far, past history has shown that encryption methods and algorithms grow weaker with time. What is secure today may be easily broken tomorrow. A simple coding error or bug may result in unlocking everyone's encrypted vaults easily in the future. For all we know, 30 years from now, toddler toys will have enough processing power to break today's best encryption. Look at my example of DES, above.

    There are other threats, if someone can associate you with a copy of your vault. You may be detained and forced to unlock it - either by lawful authority, or powerful criminal or corrupt organizations, through torture ... or maybe even your employer as a condition of continued employment.

    Here is a current example:
    Your country is invaded by a foreign power whose intelligence services know more about you than you do. Ordinary residents are forced to unlock and reveal their personal data to invading forces, where those forces had foreknowledge of "interesting" individuals to interrogate, etc. (I wonder what could happen if I were forced to unlock my Facebook or Twitter accounts? I never had one. I assume that the process of establishing that fact might hurt a little.)

  • emgemg Veteran

    P.S. Adding to my post above:

    I want to make it clear that keeping your own vault on your own local computer changes the security situation, but also imposes extra work on your part.

    You lose the convenience of sharing your passwords between multiple devices. As I have made abundantly clear, that is a Faustian bargain. In my opinion, the convenience is not worth the long term risks and I explained why, above.

    No matter what, you must protect your personal computer from outside attackers. That does not change. Your adversaries may attack or infect your personal computer and try to exfiltrate your passwords, password vault, or other sensitive data.

    You must provide for your own backup and recovery methods for yourself. You must decide what is sufficient for your needs, and then put it into practice. You must be consistent in that practice. If you decide to keep an offsite backup (a good idea, in my opinion), you must secure it appropriately as well. Depending on your threat model, your adversaries may know where to look.

  • CabbageCabbage Member
    edited December 2022

    @hostnoob said: Also, is BitWarden the best?

    Not sure about the objective best, but it is close to one, especially if you take price into consideration. Bitwarden is fully open source, so if you really want to verify the security, go ahead. They also published a whitepaper, so you could check up on that instead.
    While I do roll my own Bitwarden instance, I do recommend using their hosted instance, partially because of their long history, but mostly because of the availability. Security would be meaningless if you lost access to it altogether.

    If you are still paranoid, or don't need web access, there's always the option of keeping it offline completely. Check out Keepass.

    Thanked by 1emg
  • emgemg Veteran
    edited December 2022

    Citing another example:

    For many years, I used a simple "To Do" list manager application called "Things" from a company called Cultured Code. I liked Things a lot. It did exactly what I wanted.

    One of the features I liked about Things was that they offered a version as an iPhone app, and the app would synchronize with the list on my personal computer over the standard iPhone USB cable. All of my personal To Do data was local.

    When Things 2.0 came out, Cultured Code changed how the sync feature worked. The new version stores your To Do list data over the internet, on "Things Cloud" servers in Germany. As usual, there were lots of assurances that your data was secure, but the short summary is: "Trust us to keep your Things Cloud data secure. Go look at our website and see for yourself." Scroll to the bottom:
    https://culturedcode.com/things/cloud/

    The rest of the information about their security architecture had to be prized from them through email exchanges with support and others. They did not want to openly admit that trusted employees could read customer plaintext data. Here is the true basis of Things Cloud security, confirmed through support exchanges with their support team and escalated to management/development:

    • Your data cannot be read by outside attackers, because it is encrypted with SSL. What that means is that the data on the internet between your device and the Things Cloud server is encrypted. (In case it is not apparent, once your data arrives at the Things Cloud server, it is decrypted on receipt.)
    • Your Things Cloud data on our servers cannot be read by outside attackers. Trust our IT department to keep your data safe and secure from hackers.
    • Only a small number of Things employees have access to Things Cloud customer data. They had all been carefully vetted and were highly trusted. Yes, they admitted that trusted employees could access customer plaintext data. Of course, that was years ago, and we do not know if they are still as diligent about who has access, and whether anyone who left Cultured Code has knowledge that could be used to get the data.

    I used Things 1.x USB sync mode as long as it lasted. When the USB sync option went away, I stopped using Things. There was no way I was going to make my very sensitive to do list information available to a third party. Do I need to explain why a personally managed daily to do list might be considered highly sensitive, especially for people in positions of significant responsibility, authority, or the media spotlight?

    I wonder how many people in sensitive roles are using Things? Do they realize that their To Do lists are accessible as plaintext to employees of a company in Germany, if not others? I wonder if Cultured Code realizes what a juicy, tempting target they are? Imagine if a celebrity, politician, general, or Supreme Court Justice uses Things? How much would the Things Cloud database be worth to Russia or China, The New York Times or TMZ, just for a peek?

  • I only use shared hosting for my password manager

  • HxxxHxxx Member
    edited December 2022

    KeypassX offline if you want absolute security. Do audit the code to make sure is safe, for maximum trust.

    Otherwise use any of the qualified password manager services. Nothing is 100% secure, architecture play a big role. If for example is zero trust architecture, that's a plus.

    Anyway ignore my answer because you didn't asked this haha.

  • @jmgcaguicla said:

    @hostnoob said:
    So if it's encrypted with a strong standard, it's pretty safe if anyone were to gain access to it?

    Yes, barring someone breaking the crypto used of course.

    I guess the risk would be if someone gained access to the server and set up a malicious service to steal the password or something like that?

    They can't steal the password as the client doesn't send it out. At best, if they manage to MitM you and insert their own fake server they would still just be receiving a blob of garbage when you sync your vault.

    If the client itself is hosed, it's game over.

    this is the answer.

  • I don't know if it's because I am getting old, but I no longer spend time and effort self hosting things when it doesn't make much sense. Managed Bitwarden is free and with the premium features is $10 per year, which is ridiculously cheap. Why don't you just use that and have one less thing to worry about? I am speaking as someone who until recently was self hosting 43 services, including email and password manager (Vaultwarden) among the many things. I have just realized that for many apps it's not worth it.

  • @vitobotta said:
    I don't know if it's because I am getting old, but I no longer spend time and effort self hosting things when it doesn't make much sense. Managed Bitwarden is free and with the premium features is $10 per year, which is ridiculously cheap. Why don't you just use that and have one less thing to worry about? I am speaking as someone who until recently was self hosting 43 services, including email and password manager (Vaultwarden) among the many things. I have just realized that for many apps it's not worth it.

    Same. I don't mind paying the $10/year for Bitwarden's premium feature. It's well worth it, and their software/service is fantastic. Highly recommended.

  • @emg said: How much sensitive government data was encrypted with DES back in the 1970s and 1980s? The people who encrypted that data back then thought it was secure.

    Why go back that far? Even with modern state-of-the-art cryptography, there are countless possible ways you can shoot yourself in the foot through no fault of your own: https://en.wikipedia.org/wiki/Random_number_generator_attack#Debian_OpenSSL

    @emg you're 100% right. I cannot imagine paying any monetary amount for hosting a glorified encrypted text file.

  • @ntlx said:
    Same. I don't mind paying the $10/year for Bitwarden's premium feature. It's well worth it, and their software/service is fantastic. Highly recommended.

    I second this. Bitwarden is so good and so cheap for something that I use soo soo much!!!

Sign In or Register to comment.