And people keep asking me why I use a self-hosted, self synced, password manager instead of using one of those super-easy, super-helpful online services to do it for me.
For the same reason why I don't throw my apartment keys into the local train stations safebox.
You may feel safer that way, but it is not. If a dedicated attacker can breach Okta, they can surely breach your self-hosted, self-synced password manager you manage, which you forgot to update on time, or you don't get an update on time.
Remember, these organizations fix the issues weeks, sometimes months, before they release the statement.
If you use open-source and a critical bug is found, you'll get a patch with a press release, while all other large services fixed that already. For average Jane or Joe, the risk-benefit ratio favors services against self-hosted solutions.
An attacker would first have to find my system, specifically, and then breach it. In terms of the most common method of breaching systems, social engineering, it is me, a single software engineer with a very solid background as a sysadmin, compared to a staff of many hundreds or thousands of employees at a large, visible company.
So simply in terms of attack surface, exposure and discoverability, doing that is a REALLY tall order. Many animals on this world survive not because they are huge and strong, but because they are tiny, fast and next to invisible.
Economics play a huge role in attacking systems. Targeted attacks are time consuming, costly, and if the end result is one guys passwords, usually not worth it. People carrying out such attacks want to use a dragnet, not a fishing rope.
> If you use open-source and a critical bug is found
...then many many many large organisations have the same problems as I do, only while being a lot more exposed and visible than me. Because the software I use relies on the same standardized, battle tested, vetted and re-vetted for years technologies as many commercial products.
False, because it's not only a matter of technical difficulty, but also one of economics. Very unlikely for your average person to be a victim of a deliberate targeted attack.
I suppose in that sense hanging out with a rich friend would mean you're very unlikely to be kidnapped.
While probably true most of the time. It does give you a false sense of security, which makes you a very easy and potentially profitable catch. If you fail to update and a scripted bot catches you, the actor notified will certainly see what's in there.
And if anything you're more likely never to find out. Which means they can just come after a few months later. Maybe they stole your first CC and then your second CC. I think there is possibilities there that make sense.
Not targeted, but a random attack and data leak is very likely. Much more likely than if they used the service. That's why 99.999% of people should stick with the services.
A random attack that just happens to breach specifically my home server, that uses custom made service scripts to enable syncing to my devices, isn't reachable from the internet, and is airgapped from my DMZ?
Which then somehow manages to exfiltrate and decrypt data that is still encrypted with a public key, the private key to which is not stored on that system, and itself encrypted symetrically?
Yeah, that doesn't sound like a "random attack" to me, that sounds like a subplot in a Keanu Reeves Movie...
There is probably a half way decent chance that the vast majority of participants here, in singular, that would be economically gold mines for compromise.
A bad term, I would say now, "most people." For me, hosting a password manager is like hosting an email server. There are situations where it makes sense. But for 99.99% of people, services are just good enough. Not to mention what a gold mine emails are if they get compromised.
> If a dedicated attacker can breach Okta, they can surely breach your self-hosted, self-synced password manager you manage, which you forgot to update on time, or you don't get an update on time.
Why would you assume the self-hosted alternative even has a server to be breached? If this is the same Okta breach from this week it was a human support channel that was breached. There's nobody like that in front of my setup, and no server or open ports.
Good for you. But the average user wants a password manager on all their devices, including web and mobile browsers. They don't want keepassx and to keep track of a single file. There's nothing to gain, except a false sense of security.
The preferences of normal users aren't relevant for the privacy and security minded. They will always choose the easy route, which was the point of the comment you initially replied to. Here's a quote:
> And people keep asking me why I use a self-hosted, self synced, password manager instead of using one of those super-easy, super-helpful online services to do it for me.
The security of self-hosting and keeping the backups up to date (trivial to automate for computer-literate users) is not false compared to getting pwned by customer service with enough access to be dangerous. You're making it sound way more difficult than it is.
Irrelevant. 1password passwords are encrypted with a key only you have. I HIGHLY doubt that you can keep your homeserver more secure than 1password can its servers.
Irrelevant. The risk of a targeted attack is much lower than the risk of being part of an online attack. I doubt there's anyone on this site who hasn't been part of one of the latter but for someone to decide that I have something worth stealing they must first know that I exist.
> 1password passwords are encrypted with a key only you have.
So is my password store.
> I HIGHLY doubt that you can keep your homeserver more secure than 1password can its servers.
I also highly doubt that my trousers pockets are harder than the 1.5cm thick hardened-steel-doors of the storage lockers at the local train station, or that my pyhsical constitution is superior to those of the trained security guards they have there.
And yet, guess where the keys to my apartment are kept. Hint: Not at the train station.
Security is not an absolute measure. It's a cost/benefit tradeoff. 1Password may have customers that make it economical for an adversary to spend $$$$ to breach it despite "better" security, whereas your "less" secure home setup may not be worth the effort.
I wouldn't worry about a targeted attack if I was "nobody" and I was self hosting. Likely bitwarden? I'd worry about an attacker scanning and exploiting every instance they can find. Scanning is cheap and provides value in aggregate.
That feature only exists on family/team accounts, and in that case the account that is allowed to perform recoveries has an escrow of the vault passwords of other team members.
The user who currently holds escrow can distribute those recovery keys to other accounts in that family/team/enterprise. This is why 1Password SaaS forces you to have at least one account admin (aka the user with recovery keys). If you somehow have 0 account admins, creating a recovery key -- without full decryption access to a vault, aka, user still knows their password & account key -- is impossible.
Ain't nobody giving shit about your pictures kept on home server. Security measures need to be relevant to chance of attack, they do not exist in the void.
And so mediocre protection of irrelevant target can be far more effective than good protection of juicy target
I understand your point, but if my password vault was a self hosted piece of software and a self hosted vault file, I'd be nervous every day of losing data.
And I am, same as I am worried everyday about losing the keys to my apartment. I am speaking as a person who once only got them back by sheer luck (and a young mans honesty), after they fell out of a hole in my trousers pocket.
However, I would be even more nervous if the security of these keys were up to someone other than me. For example a random employee of a big company, whos access to the system I have no say in, who I never met, and whos actions I can neither see nor regulate.
Bottom line is: I prefer worrying about myself failing, than someone else. Because I can do something about the former.
And while I am certainly not qualified to fly an aircraft, I do feel that I am quite qualified when it comes to software engineering and systems administration.
I think the self-hosted bit is just for syncing, as long as you have multiple devices its not likely to lose data even if you don't follow the 3-2-1 backups.
I think this works well if you're already invested in GPG for code signing or something and use terminals a lot. It's a little unusual as key management uses asymmetric crypto, so you can add a password without opening your keyring. The passwords are stored in directories and the directory names are the plaintext name of the password (i.e. the site and username). So it doesn't offer privacy. Tampering is possible, you can delete a password without unlocking the keychain by deleting the directory. So it only really protects read access to a password.
We use similiar gpg-based one in our Configuration Management infrastructure, works really well.
The data files are encrypted with keys of the CM main servers and other admins, GIt has history in case something that should not get removed got removed and if you want you can also force that the data will always be signed with certain keys on server side git hooks if you want to have more accountability than just git logs.
With little config even git diff/git log work showing unencrypted (if you have right key) content.
For the same reason why I don't throw my apartment keys into the local train stations safebox.