chore: fill in password-managers post

main
CrimsonTome 2022-12-26 11:03:16 +00:00 committed by Rowan Clark
parent 1409cfe9a7
commit 58e46af244
No known key found for this signature in database
GPG Key ID: F620D51904044094
3 changed files with 47 additions and 5 deletions

View File

@ -1,4 +1,34 @@
Commit: 2d8cd50
Commit: 7010904
Author: Rowan Clark
Mon Dec 26 11:03:16 2022
Commit subject:
chore: fill in password-managers post
Commit: 1409cfe
Author: Rowan Clark
Sat Dec 24 12:52:16 2022
Commit subject:
style: prettierformatting
Commit: d21a0ca
Author: Rowan Clark
Sat Dec 24 12:45:33 2022
Commit subject:
chore: add update post, init draft pw manager post
Commit: f0a5905
Author: Rowan Clark
Mon Nov 28 15:45:33 2022
Commit subject:
add mastadon
Commit: 128a9d3
Author: Rowan Clark
Sun Nov 27 13:41:10 2022
Commit subject:
chore: update stack page
Commit: f8b985d
Author: Rowan Clark
Mon Nov 7 00:23:49 2022
Commit subject:

View File

@ -1,3 +1,3 @@
#!/usr/bin/env bash
git log --date=local --format="Commit: "%h%n"Author: "%cn%n%ad%n"Commit subject: "%n%s%n > CHANGELOG.md
git log --date=local --format="Commit: "%h%n"Author: "%cn%n%ad%n"Commit subject: "%n%s%n > CHANGELOG

View File

@ -1,11 +1,23 @@
---
title: Self host your password manager!
description: How and why you should self host your own password manager
date: 2022-12-24
date: 2022-12-26
tags:
- self-hosting
- linux
- vps-series
- security
layout: layouts/post.njk
---
tldr: password managers provided by large companies, while convenient and come with some very nice faeatures are very much vulnerable to having data breaches and can have security issues. You don't want that.
You've seen the news, it seems like every other week a company has a data breach or vulnerability discovered. For example LastPass had an incident in August 2022. Whilst the company did a good job of disclosing the fact they had a breach, saying only development material was compromised and that they had no reason to believe any passwords of its users had been stolen, in December 2022 they updated their [post](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) stating that some personal information was obtained, such as 'end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service'. Whilst this data isn't classed as critical, it is still data that could be used to aid in another attack on an individual or company. However those that use a weak master password could still have their database [brute forced](https://en.wikipedia.org/wiki/Brute-force_attack). There are other examples that you can find online with a quick Google search.
So what can you do about this? Don't rely on companies to provide security for you. [Self host](<https://en.wikipedia.org/wiki/Self-hosting_(web_services)>) your own password manager. This can either be via an application on your computer or a web based client on a [VPS](https://en.wikipedia.org/wiki/Virtual_private_server). I can recommend [Vaultwarden](https://github.com/dani-garcia/vaultwarden) for hosting on a server. You can install it using [Docker](https://docker.com) with the following commands:
```sh
docker pull vaultwarden/server:latest
docker run -d --name vaultwarden -v /vw-data/:/data/ -p a-port-that-is-not-in-use:80 vaultwarden/server:latest
```
If you are new to Docker, you can follow [this guide](https://kieranrobson.com/docs/docker-and-docker-compose/) by Kieran Robson on installing Docker and Docker Compose.
For desktop use I recommend using the cross-platform [KeePassXC](https://keepassxc.org/). Both will prompt you to enter in a master password, for those that haven't used a password manager before, this is the one password you will have to remember, think of it as a key to your database filled with passwords. Make sure this is a strong, but memorable password! If you lose this password your database will be unusable to you and if it is too weak it's vulnerable to being brute forced - especially if you are exposing this over the network.