So, after quite a while of me trying over and over, I finally got bitwarden working in AWS on my own instance using my own domain name. It’s been working great for a week or so now working flawlessly between all my devices.
Biggest reason I’m using bitwarden is because all of my passwords sync across all of my devices giving me the convenience of LastPass yet it’s in my own hosted environment, so I’m not a target like LastPass or 1password. I’m sure that’s why most do it.
But, how would I know if my instance was hacked, short of just getting hints from my services that weird logins are coming in from unexpecting IP addresses? It seems when I read about like Lastpass’ hacks, they find traces in their logs that are amiss. Stuff is off that hints the attack. For my EC2 instance, I only have, I think, 80 and 443 open… Well, I guess SSH is open too. Security has never been my strongsuit.
With due respect, that is an excellent reason to leave the safeguarding of the cloud database to the experts, by having Bitwarden host your data.
Furthermore, because of the zero-knowledge design of Bitwarden, a breach of their cloud servers should not put you at any risk, if you have a sufficiently strong master password. For example, if your master password is a randomly generated, 4-word passphrase, then your vault will be safe from cracking even a copy of the encrypted data was ever stolen from Bitwarden’s cloud servers.
Just remember, LastPass and 1Password have “experts” hosting their password systems and they keep getting hacked and stuff stolen. So, leaving it to the experts makes a large pile of very valuable credentials… the more people to leave it to the experts, the larger the target the experts become and that becomes a liability. The zero knowledge design means nothing to me. Lastpass and 1password are zero knowledge too and they were hacked and people’s creds stolen. I read how it happened. Some of it way over my head. One of them, it was a support session that the keys were stolen during the support session. But, probably any encryption and zero knowledge that I know about is childs play to Russian hackers and they’re laughing at our so called zero knowledge password storage.
Again, with respect, it seems (based on the claims made in your comments) that most of it may have been “over your head”.
If you don’t understand how this works, then you have no basis for criticizing the security of this technology.
Please provide even one example proving that credentials have been stolen from a 1Password customer.
Lastpass was demonstrably not Zero-Knowledge, at the time of the breaches last year, since they were storing sensitive vault data as unencrypted cleartext.
The way I see it here, using bitwarden would be like starting my own bank and keeping it there. The analogy of keeping it under the matress would be me keeping my passwords in a spreadsheet in dropbox. Bitwarden wrote the software. It isn’t my solution. I’m just putting their solution in my own space. I’m sure my little bank that I just put up using bitwarden’s software doesn’t have the army of soldiers in front of the bank protecting it like 1password has… but I’m not a target like the big bank is either. There is some protection… bitwarden builds it into their setup and I have AWS’ firewall in front of my vm. I don’t know. Not even sure how a hacker would know to look for my instance of bitwarden in aws. (I guess one downfall is I did create an A record on my root domain called bitwarden. I guess that might give it away. Not sure if hackers are scanning root domains for sub A record domains called bitwarden or anything other keywords of interest…)
So, I still like my setup. I see everyone’s point too. I think I’ll chance it for now. I like that it’s hosted in my own space. So far, the bill every month for me to run this instance doesn’t look like it’s going to run up much. I’m trying to learn cloud computing for my professional work, so kind of nice having my own space doing something useful that is related to my work profession.
I’m pretty sure I’ve heard that company’s name thrown around in meetings at work when talking about Cloud security… maybe it will be too expensive for my little setup too… just an idea.
I just setup default security auditing in aws. see how that works. Be fun to learn.
(Our company doesn’t do anything with aws. We’re a gcp and azure shop… but I want to learn aws too… Figure aws will be my prod for my personal life… I’ll play around in gcp and azure… even though, of course, I know about projects and directories in other clouds to isolate my configs.)