I have been self-hosting bitwarden_rs for many years now, and am very happy with it. It's free as in freedom, open source, and designed to be run and operated and secured by you exclusively, so you have full control over your data and don't need to rely on a third party being available.
> designed to be run and operated and secured by you exclusively
Which means you have to secure it. That's something a lot of people will not know how to do properly, and an insecure server with Bitwarden exposed to the public internet may turn out to be worse than trusting e.g. 1Password. Just something to keep in mind when making that decision.
If that's what you prefer, you can use Bitwarden.com and let them host and secure it. It's just an advantage for Bitwarden that if you want to, you can self-host.
Compared to 10-15 years ago, securing a deployment of a web service is trivial today. Let's Encrypt gets you TLS certificates for free. Wireguard gives you an out-of-the-box secure VPN solution so you can access services outside of your home network (setup is even easier now that it's part of the kernel). Wire everything together with Nginx/Caddy/Traefik and you're off to the races.
It may be trivial to throw something together that works (I think it's still pretty hard unless you do devops stuff a lot, which hardly anyone will) but it's not going to be very secure, at least not down the line.
- Where do you host all that? If on your home network, then your availability is probably not going to be great. Sucks to be travelling and unable to get to anything because your Wireguard Raspberry Pi died, so you need to make sure you don't need that. If using a cloud or other IaaS you run similar risks to 1Password etc., same with "conventional" root server hosters. If they get owned, you may too.
- How secure is your domain name? DNS? Your app may not warn you if the server answering isn't the one that answered yesterday.
- Is your OS hardened? What else is running on your critical machines? How do you keep everything updated, OS and the actual applications?
- How do you keep abreast of zero days and critical issues in the exposed components?
- How do you know when automatic updates fail? How do you know you've been compromised?
- Do you keep all your machines on the same network? Can a smart lightbulb be an exploit vector?
- What about machines that access Bitwarden or whatever directly – how secure are those?
- What will the whole thing cost, both in terms of time and money? What about upskilling?
- If you manage this for others, which is something that cloud services excel at, with rights management and the like: Are you ready to admin this for the long run, do "customer" service, etc.?
Not saying everyone will need to have cover all those bases, or that you couldn't or wouldn't just take some risks, but if the aim is to get better security than e.g. 1Password with their security teams and posture, then it's worth to at least try to have a complete picture and make conscious decisions on them. What needs to be covered will depend on a lot of factors, including how exposed you think you are.
There may not have been any mass-takeovers of badly secured domains, but we've seen during the Log4J incident that a lot of people believe not being listed on Google means their services cannot be discovered only to find they're getting hammered with attacks, and that attackers have levelled up their capabilities a lot, with large-scale and surprisingly well-engineered attacks springing up pretty quickly. That trend will likely continue and that combination of very capable attackers perceived as incompetent and lots of false assumptions about the actual risks is pretty dangerous; a lot of people will not realize how exposed they are because HTTPS==secure, right?
That no one has targeted self-hosted Bitwarden instances on a large scale so far is no guarantee that no one ever will. People are presumably trying to breach 1Password all the time and so far they seem to hold up well, though LastPass hasn't. What risk is bigger? That a homebrew setup is falling to an untargeted mass exploit? That someone will target you with something more sophisticated? That 1Password is breached and keeping data they say they don't? That LastPass keeps data they everyone assumes they don't but never publicly said they don't, and get breached? If anyone knows, I'd like the details of their analysis, because to me it doesn't seem straightforward at all.
