True, but the alternatives generally are either a pain in the ass or require yet another syncing service to have sensitive info just so I can access things reliably anywhere.
It is still more secure than SMS and email based options.
Besides, my vaultwarden still needs an MFA code to access in the first place, and that’s handled by a separate generator.
I’m willing to accept the slight security difference in exchange for the convenience of having access on a single app 99.9% of the time.
To get into my Vaultwarden in the first place to get my info they’d first have to know my self-hosted server exists to target. And they’d need to compromise that MFA which is handled by a separate unrelated app.
That’s more than enough security for nearly everyone on the planet.
Sure. But if your bitwarden is protected by a 50char password AND a yubikey, it’s not that big of a tradeoff imo. That’s what I do, but I have hundreds of MFA tokens and it was PAINFUL to auth a lot of the time when I was using an authenticator app.
They’re exactly why I decided to accept the slight security downgrade for usability. Plus, at the time, finding a yubikey that would work with every device, desktop, laptop, mobile, etc. was impossible without dongles, kind of defeating the point. USB-C wasn’t on everything then.
How do you like the self hosted approach? I contemplate it every so often, but I’m not sure that my sysadmin abilities (and attention) are enough to keep it secure.
The admin overhead isn’t too bad as long as you have a good base, and don’t try to do anything crazy. I transferred from Synology to a custom built NAS recently, and it’s running TrueNAS. That supports not only docker now, but also a catalog of apps preconfigured for TrueNAS with minimal manual setup needed.
For Vaultwarden, since it needs external access, I had issues setting up various reverse proxy systems and dynamic DNS services properly. So I got cheap like $5 domain through Cloudflare, and run a Cloudflare tunnel back to my network for Vaultwarden and a couple other apps like Emby for my media.
The Cloudflare tunnel also allows me to use WARP as a VPN on my laptop and phone to route that traffic back through my home network. Which also lets me use the pi-hole on my network for my ad blocking on those devices.
I jump into the TrueNAS interface weekly to check for system and app updates, and that’s about it.
Depends on your org. I have a yubikey, a phone app Authenticator, a pin and my regular SSO login/password. All of which I have to use constantly, because some dumbass did something dumb like two fucking years ago. So I can hardly get shit done. Plus the same dumbasses who probably fucked all this up are writing production code for an actual product. Please kill me.
Yeah, I got 4 because I’m paranoid about losing access to things, and still spread out backup TFA mechanisms… I don’t trust technology to be reliable enough, heh.
Personally, I have the second Gen Google Titan USB keys, I upgraded from the first Gen some time ago. They’re Fido2 so they’re very equivalent to yubikey in most respects.
I use my yubikey for work. I connect it to anything and everything I can. I use Microsoft’s authenticator as my backup for work.
I have a pair of Fido2 keys for personal with totp backups, and recovery codes as a last line of defense (stored in a secure location), and one Fido2 key with totp backups for work.
Ironically, the least secure account I have is for my bank, which doesn’t support Fido2 (or anything other than SMS).
So mine supports it in principle, but I haven’t tested it out yet. Enrollment seems simple enough though. I use a handful of 2fa apps between work, personal password manager, sms backup, and so on… I have hopes to consolidate and onboard TOTP some day, but the banking apps have low support, so thats annoying.
Okay so I get this is a meme BUT I started using a yubikey instead of the auth app and it has done a world of good for my sanity.
I transitioned everything to Bitwarden. Password manager, passkeys, and MFA code generation all in one app that works on all of my devices.
And then I started to self-host it via Vaultwarden and transferred all the data.
A friendly FYI: having your passwords and MFA in one place partially defeats the purpose
True, but the alternatives generally are either a pain in the ass or require yet another syncing service to have sensitive info just so I can access things reliably anywhere.
It is still more secure than SMS and email based options.
Besides, my vaultwarden still needs an MFA code to access in the first place, and that’s handled by a separate generator.
I get that not everyone wants to set up something like Aegis in combination with e.g. Syncthing.
Of course it is still better than SMS and email, but I would recommend you check out Ente Auth and/or Proton Auth.
Both are end to end encrypted and you would at least have it in separate apps
I’m willing to accept the slight security difference in exchange for the convenience of having access on a single app 99.9% of the time.
To get into my Vaultwarden in the first place to get my info they’d first have to know my self-hosted server exists to target. And they’d need to compromise that MFA which is handled by a separate unrelated app.
That’s more than enough security for nearly everyone on the planet.
Perfectly valid, everyone has their own threat model and their own standards.
I do 2 accounts, one normal, one mfa. If only the extension would let you pull from both accounts at once! KepassXC still does the usability better.
Sure. But if your bitwarden is protected by a 50char password AND a yubikey, it’s not that big of a tradeoff imo. That’s what I do, but I have hundreds of MFA tokens and it was PAINFUL to auth a lot of the time when I was using an authenticator app.
They’re exactly why I decided to accept the slight security downgrade for usability. Plus, at the time, finding a yubikey that would work with every device, desktop, laptop, mobile, etc. was impossible without dongles, kind of defeating the point. USB-C wasn’t on everything then.
Bitwarden is just so awesome
How do you like the self hosted approach? I contemplate it every so often, but I’m not sure that my sysadmin abilities (and attention) are enough to keep it secure.
The admin overhead isn’t too bad as long as you have a good base, and don’t try to do anything crazy. I transferred from Synology to a custom built NAS recently, and it’s running TrueNAS. That supports not only docker now, but also a catalog of apps preconfigured for TrueNAS with minimal manual setup needed.
For Vaultwarden, since it needs external access, I had issues setting up various reverse proxy systems and dynamic DNS services properly. So I got cheap like $5 domain through Cloudflare, and run a Cloudflare tunnel back to my network for Vaultwarden and a couple other apps like Emby for my media.
The Cloudflare tunnel also allows me to use WARP as a VPN on my laptop and phone to route that traffic back through my home network. Which also lets me use the pi-hole on my network for my ad blocking on those devices.
I jump into the TrueNAS interface weekly to check for system and app updates, and that’s about it.
Depends on your org. I have a yubikey, a phone app Authenticator, a pin and my regular SSO login/password. All of which I have to use constantly, because some dumbass did something dumb like two fucking years ago. So I can hardly get shit done. Plus the same dumbasses who probably fucked all this up are writing production code for an actual product. Please kill me.
I hear that if you lock down your system so much that no one can access anything that’s peak security.
I too have a yubikey. My advice, have something that functions as a backup.
Other than that, yes. It’s way better than alternatives.
Yeah, I got 4 because I’m paranoid about losing access to things, and still spread out backup TFA mechanisms… I don’t trust technology to be reliable enough, heh.
Personally, I have the second Gen Google Titan USB keys, I upgraded from the first Gen some time ago. They’re Fido2 so they’re very equivalent to yubikey in most respects.
I use my yubikey for work. I connect it to anything and everything I can. I use Microsoft’s authenticator as my backup for work.
I have a pair of Fido2 keys for personal with totp backups, and recovery codes as a last line of defense (stored in a secure location), and one Fido2 key with totp backups for work.
Ironically, the least secure account I have is for my bank, which doesn’t support Fido2 (or anything other than SMS).
Are you using the slightly more expensive one capable of generating TOTP codes?
I also use a Yubikey too, but I still have to use another 2FA app for services that don’t support passkeys yet.
So mine supports it in principle, but I haven’t tested it out yet. Enrollment seems simple enough though. I use a handful of 2fa apps between work, personal password manager, sms backup, and so on… I have hopes to consolidate and onboard TOTP some day, but the banking apps have low support, so thats annoying.