I have started to be more conscious about privacy over the Internet, and one of the most important aspects to take care of when talking about privacy and security is where to store your passwords, as important as what passwords you use.
Most people (including me until some weeks ago) use the same password everywhere to easily remember it later.
Another common practice is to use iOS, Google or Firefox password tools, the problem with that is that you are forced into their ecosystem, and one should always think about who let in charge of your keys
Password manager tools
It is impossible to keep a lot of passwords in our memory, and writing them down is not a good idea either. I started to keep them in a text file encrypted with a password, but it was not the best solution.
So I started to use Chrome password manager, but I did not want to install it on the iPad, even on the PC, I started using Firefox on the laptop too.
So I started to look for an independent password manager tool, but almost all of them required a paid account. And I wanted to have full control over my passwords. So, I decided to use Bitwarden, because there is a self-hosted option
Bitwarden is an Open Source password manager tool, you can host in your server with Docker, this is maybe the most secure way to manage your passwords because you are in full control of them. Of course, they are on a server open to the Internet so they will never be completely secure.
Different type of containers
Bitwarden is not only useful to manage your passwords, but it can also be used for:
- Login Passwords: As all main tools, it records the url, the username, and password.
- Credit Cards: Credit cards can also be stored on Bitwarden server
- Identity: You can store all data of your identity, like Passport number, Social Security number, and so on.
- Security Note: This feature I use a lot, they are like post-it, but secure post-it, I mainly use them to store the keys to unlock sites when 2FA fail, I keep the scratch codes in there.
Of course, you can generate the password with the tool, and adjust the type of password you want.
You can generate passwords of different sizes, from 5 to 128 characters, and if the password will contain: Upper case, lower case, numbers, and special characters. You can also set the minimum quantity of numbers and special characters.
Export and Import
You can export and import the data, this must be done carefully, because it is exported a plain text document, and that document should be deleted once it is not needed anymore.
Bitwarden offers different reports that help you a lot to keep your credentials secure
Exposed Password Report
This is one of the best features it has, it shows you all the passwords you use that has been exposed on the web because someplace you used them has been hacked.
Be sure the change all passwords that appear on this report.
Reused Password Report
This is one is pretty self-explanatory, this report shows all sites where you have used the same password, try to change all of them to random passwords, if one site is compromised the hackers will not gain access to other sites where you use the same login and password.
Weak Password Report
Here you can review all accounts that have weak passwords, usually the same where you have reused passwords. Keep all passwords randomly generated, and with long strings, no less than 14 characters.
Unsecured Sites Report
Here you will have listed all sites where you have an account that does not use SSL, in other words, the signing url is http and not https, on this sites you should of course use unique passwords, as it is easier to lose that password, and the hacker should not be able to use it in any other site.
Inactive two-factor authentication
In this report, it will be listed all sites where 2FA is available, but you do not have it enabled, be sure to use 2FA on every site that has available. This way even if your password gets compromised, nobody will be able to access your info on that site.
Data Breach Report
You can check here if your user name or email has been compromised in any data breach.
The report will show you what info has been made public together with your email address or login, the only thing you can do, is to change the passwords you used on those sites.
Your Bitwarden account can also be secured by enabling 2FA, you have these options to set it up:
- Authenticator APP: Like the ones from Google, Microsoft or Authy.
- Yubico: You need to buy a hardware YubiKey to use this method.
- Duo.com: You need an account with them
- Fido: This one is also from Yubico
- Email: You will get an email with the code every time you want to login
Self Hosted Options
You have good documentation on the site to host it on your server with Docker:
You will need to install at least the server which you can use with your browser extension and your mobile app.
But there is another option for your personal use.
This one is the option for persona use, it is small and also have all features the official one.
You can find the installation instructions here
But, here I will let you how I installed on my server.
AWS_S3_BUCKET_NAME: XXXXXXX # S3 bucket which you own, and already exists
AWS_ACCESS_KEY_ID: YYYYYYYYYYY # Read AWS secrets from environment (or a .env file)
- /var/run/docker.sock:/var/run/docker.sock:ro # Allow use of the "stop-during-backup" feature
With this configuration, you will have two containers, one with Bitwarden, and the second one that will take care to back up your database to AWS S3 or any compatible option. Remember that your vault is encrypted.
You will now only need Nginx or Caddy in front of it, I am using Caddy 2, with this configuration:
If you want to use Nginx, you will need something like this:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Url-Scheme $scheme;
Among with other server configurations.
Consider using a Password Manager tool, I recommend you Bitwarden, but you can use anyone you trust, I know that NextCloud comes with an add-on for it too, I think that is also a great option, what you should not do, is to re-use passwords, or use weak passwords.
Security on the Internet is as important as security in the real world, and you do not let your home or car keys anywhere, you keep them secure and with you.