Self-hosted Password Manager

Now that it’s clear what exactly was taken at the (last) LastPass breach, it may be a good time to re-evaluate how do you keep your passwords secure.

(Of course, if you’re on LastPass, you’ll need to rotate all your passwords and add MFA where possible. And then move on. They fsck up.)

So what are the options for your passwords? You could:

1. pick a cloud provider with a better track record.
2. self-host your own password manager web service.
3. use a portable password manager with a browser plug-in. Manage the safe synchronisation between devices by setting up self-hosted file-hosting service.

I am not a fan of 1. Besides being a waiting game to find out if they make the same bad choices as LastPass, a service with millions of users is a very likely target. Point 2 is certainly better, but I prefer to add an extra line of defense.

This is my implementation of option 3:

• KeePassXC on my computers (Linux, macOS, Windows) with a very long, but easy to remember passphrase. There are several compatible clients for mobile devices and official plugins for browsers. An added advantage of using KeePassXC is that it can be used as the source of private SSH-keys (also secrets), so they don’t have to be kept on disk.
• Seafile in a container using an Encrypted Library. You don’t need a lot of resources for a small setup. You could easily host it on a rpi at home or a small cloud VM.

This setup gives you an encrypted password database that resides on an encrypted share accessible by a native clients, and when needed, a web interface. The web-browser plugin will handle web logins, with the sane default of only doing so after the user requires it (e.g. by clicking on the KeePassXC icon in the user field.).

(Mastodon post)