On self hosting, some thoughts I’ve had on that are that while BitWarden may be a bigger target there is the benefit that your vault is one of many that may be taken in any successful hacking attempt.
Despite the noise surrounding the last LastPass breach, there seems to be limited discussion outside of tech circles really; I’m not seeing loads of users complaining online that they have suffered loss, class action lawsuits flying for data loss etc and the talk seems to be about the potential not the realised (unless I’ve missed something, I’ll admit I’ve not researched that extensively but might start).
Have some accounts been compromised? Seems probable. Have more been compromised than would have ordinarily been compromised over the same period due to malpractice on behalf of the user (e.g. poor passwords reused etc)? Who knows.
Maybe they (the hackers) were content in the first phase to just sell off the unencrypted user data and URLs and didn’t want to waste time forcing passwords or perhaps other data from the wider GoTo group was more attractive to attempt to make use of than vault data, a least initially.
It seems like a useful test case for what happens when the excrement goes through the desk fan anyway.
Whatever the case maybe, seems logical that one vault in thousands, hundreds of thousands or millions would be safer than one on its own (safety in numbers so to speak).
If I was self hosting I might think about making many spoofs in addition to the useful vault just for that reason (maybe that’s part of the set up anyway, I’ve no idea - that’s part of my reticence; not having the expertise).
Then there’s the fact that BitWarden employ specialists, third parties, bounty programmes etc to secure the data they store.
Is your self hosted vault doing similar? Probably not I would assume. It’s doubtful that you employ or could afford to employ similar levels of 24/7 expertise to secure your own hosting solution.
There’s a thought that whilst a bigger target, BitWarden’s cloud would be a harder nut to crack then somebody’s home server solution, so a strategy could be to go for the many small guys that are easier targets then go for the big one, as it might be statistically more successful overall (many small successes could be more valuable than many failed attempts at a bigger target).
There’s real world examples of that sort of strategy being successfully employed, so it doesn’t necessarily follow that because a target is bigger with a bigger potential payoff, it becomes the preferred target.
If you have some technical edge, like you work in the tech security sector, sure it is likely to be more secure or could be, but that’s not my situation.
Also if you do need remote access my guess would be that you’re still only making it incrementally more secure, not eliminating the risk of somebody getting your vault file. As such it would still seem prudent to assume the worst can and will happen at some point.
Just all seems far from a ‘slam dunk’ to better security to self host.
Ultimately though what could it achieve assuming it is all possible and leads to an undisputedly more secure vault storage solution?
I think what I would be doing, is self hosting a vault (because I do not trust the cloud service provider to do it for me), and in that vault would be the login credentials to online cloud services that I use and want to protect access to, even though they are the very same cloud services I’m saying I do not trust.
Does that sound like a rational thing to do?
Splitting hairs about the type of data you do and do not trust to be cloud stored seems slightly pedantic to me; you can acknowledge your own contradiction in using the Authy cloud sync solution (unless you’ve got that self hosted?)?
It’s about this point I decided against the idea of self hosting in a cost benefit/risk benefit consideration, but I’m happy to be convinced otherwise.
In that review and comments, have read that previously but re-read just, as you raised it.
Which element concerns you?
Compatibility seems to be OK on the face of it, guess there’s going to be snags in real world usage that are only going to be revealed when trying it, but seems that the whole thing is maturing.
A lot of time I take comments with things like Android device support with a pinch due to the varied nature of such devices.
Carrying an additional item doesn’t seem a big deal. Keys/wallet/phone is the de facto standard carry, so if you can have one in your wallet or on a key ring with your house keys etc, it’s not an additional thing to remember?
Seems like an awful lot of anecdotal evidence of people carrying these with keys and no specific care, without running in to problems - had it on my key chain but they broke every five minutes isn’t a complaint I’m coming across and in this world people are normally quick to condemn such things especially when that method of carry is touted by the device vendor (carry it on my keys they said…).
Probably I’m reading with a lot of confirmation bias at this point because I think secretly I just want to buy a hardware key, so would be interested in what caught your attention there?
Have you looked at GoTrustID Idem Keys?
No TOTP via app, as far as I can tell, but they are NFC.
The benefit of those is cost; you could get 5 for the cost of two Yubikey 5 NFC’s, so one with workstation, one with keys, one backup, one offsite backup, and a hot spare for when a child chews or otherwise destroys a key, or flushes one down the toilet (which is going to happen and will be an ‘accident’).
Five is currently the maximum supported by BitWarden too I believe.
Yubikey seems better overall, and potentially has higher company ethics, just can’t ignore the cost difference entirely.
IDEM key is made in Taiwan vs USA or Sweden for Yubikey, is my understanding, if that matters to you.
I’m most likely going to bite the bullet and test drive the IDEM key at this point ($20 to see if it’s a solution that might work doesn’t seem to be the end of the world).