Bitwarden or Proton Pass

I want to present @AlphaElwedritsch with a different opinion. I use the word because I don’t think any of what @anon90831229 said is wrong, but this is how/why I weigh things differently.

First, cloud does add another point of failure, but so does syncing. If you’ll selfhost, most likely you’ll want the passwords on your phone as well, so there’s that.
Using reputed cloud-based software that go through serious audits (like Bitwarden, 1Password or Proton Pass) mitigates the cloud risk, as well as using reputable syncing solutions also mitigate syncing risks, but it’s much much more complex than simply using a cloud service.
As a rule, self hosting requires tech savviness even if security is not an issue.

Second:
@anon90831229 is probably right that your password manager cloud is more likely to be targeted than your selfhosted solution if you’re not yourself a high-value target. But the real danger here is neither, but rather malware in your computer/phone. A compromised OS will get you either way. It doesn’t matter where your passwords are hosted if the malware is looking at your keystrokes & clipboard or taking screen shots. Your mitigation here is having sound habits: use good (and few) software (&hardware if possible), update constantly, don’t use browser extensions other than uBO, don’t download sh*t online, specially pirated software, etc.
Of course, on the computer you can always compartmentalize by running VMs for different stuff (1 for browsing, 1 for password manager, 1 for documents and email, etc). On the phone you don’t have the same option. You do have UTM on iPhones, but then all pretense of privacy and security go out of the window when you use an iPhone.

Edit because I forgot the bottom-line: I don’t think you have a bigger risk if you use BitWarden, 1password or Proton Pass on the cloud. And given that BW has a free-tier cloud service and how hard it is to selfhost anything even if you’re tech savvy, it feels like a no-brainer to me. The risk is elsewhere.

3 Likes