| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by zweicoder 3225 days ago
	I'm thinking of self-hosting a password manager like KeeWeb but I'm afraid of my own self-hosted solution not being as reliable (downtimes / loss of data). Do you have any precautions against catastrophic failures?

2 comments

zackelan 3225 days ago

The self-hosted solution I use for this (switched from LastPass) is pass[0] plus syncthing[1]. Passwords are just GPG-encrypted files, so they replicate seamlessly - much better than the "single monolithic database" approach of things like Keepass which is prone to sync conflicts.

Syncthing mirrors everything between my desktop, laptop, and phone (and there's an Android app[2] that works with OpenKeychain[3] so passwords are accessible from my phone). I haven't done this yet, but it'd be trivial to also run syncthing on a cheap VM somewhere, and replicate the passwords to it (but obviously not my GPG private key) for disaster recovery.

0: https://www.passwordstore.org/

1: https://syncthing.net/

2: https://github.com/zeapo/Android-Password-Store

3: https://www.openkeychain.org/

link

PascalW 3225 days ago

This is exactly the setup I'm using too. Works well, though the whole setup is a little less polished than 1Password which I was using before.

On the desktop I'm using Browsers [1] and QTPass [2].

[1] https://github.com/dannyvankooten/browserpass

[2] https://qtpass.org/

link

JamesLeonis 3225 days ago

I use Keepass with Dropbox. Keepass keeps the DB file secure with encryption and many rotations, so I'm not afraid of a brute-force on the file itself. It takes 500ms on my beefy desktop to unlock the DB, and almost 3 seconds on my macbook.

Most services are tied to my email, so I have both 2factor auth AND recovery codes that I have stored in a safe place. Additionally I have the Keepass password written down in a safe (separate) place just in case. This is my backup in case I lose access to my Keepass db.

As one last bit, I have Keepass to auto-lock after a bit of inactivity, so I'm constantly retyping that password. This helps me memorize it.

In many ways this keeps me safer. I stay logged out of most websites by default. It can also protect me against terrible password policies. For example, I once had a bank that limited passwords to 8 characters. I had Keepass remind me to generate and rotate that password every quarter just in case. When Heartbleed dropped, I marked all my passwords in red and only changed them back when I updated that website password.

link