Self-hosted Password Manager

Now that it’s clear what exactly was taken at the (last) LastPass breach, it may be a good time to re-evaluate how do you keep your passwords secure.

(Of course, if you’re on LastPass, you’ll need to rotate all your passwords and add MFA where possible. And then move on. They fsck up.)

So what are the options for your passwords? You could:

  1. pick a cloud provider with a better track record.
  2. self-host your own password manager web service.
  3. use a portable password manager with a browser plug-in. Manage the safe synchronisation between devices by setting up self-hosted file-hosting service.

I am not a fan of 1. Besides being a waiting game to find out if they make the same bad choices as LastPass, a service with millions of users is a very likely target. Point 2 is certainly better, but I prefer to add an extra line of defense.

This is my implementation of option 3:

This setup gives you an encrypted password database that resides on an encrypted share accessible by a native clients, and when needed, a web interface. The web-browser plugin will handle web logins, with the sane default of only doing so after the user requires it (e.g. by clicking on the KeePassXC icon in the user field.).

(Mastodon post)