[weaksauce]

there's a non-zero risk of hosting it yourself and not keeping up with the maintenance/security updates of whatever server you host it on. gotta weigh that in the calculus. It might not be likely that they target you specifically but there could be a drive by bot that slurps up your password vault.

[utsuro]

Most people seem to think it needs to be accessible online. Remote Access =/= Internet Access. Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place. You’re machine would need to be compromised first for an attacker to even connect to it—and at that point you’re compromised (and probably keylogged).

If you’re actively under attack no Password Manager, mental algorithm/ password pattern, Yubikey, or MFA will prevent someone from just using your authenticated session(s).

Does that mean we shouldn’t use these mechanisms? Of course not. When the risk is only realized with full compromise—saying XYZ could pose a threat is moot from a security perspective.

[weaksauce]

> Self hosting an external vault, using VPNs, and requiring MFA access make the vault tricky to get to in the first place.

ok but that also is prone to a weakness in any part of that chain assuming you even set it up properly in the first place. each piece is another layer that can be hacked or improperly setup.