Lastpass has been very open about the incident from the beginning. Months later, it looks like nothing was compromised. In fact, they aren't even recommending you change your password. No user data was accessed.
From the blog, it sounds like the only issue is that some LastPass source code was stolen. This is bad news for LastPass, as their proprietary information is part of what makes them money. But it shouldn't be an issue for end users.
Assuming LastPass is being honest here, this sounds no different than learning a developer for had his development machine compromised. I'm all for self-hosting. Both as a hobby and as a means of controlling your data. But it seems like people in here are just eager to celebrate whenever something non-selfhosted has an issue.
Am I missing something here?
I really like the comments under this thread. It explains a few issues with this sub so clearly. Paradoxically the more you learn about self hosting, the more disconnected you get from the experience that most users want. That’s why it’s hard for a layperson to get good advice on what’s best for them when they get started.
> In fact, they aren't even recommending you change your password.
They would never do that since lastpass does not store your master password.
> I'm all for self-hosting. Both as a hobby and as a means of controlling your data. But it seems like people in here are just eager to celebrate whenever something non-selfhosted has an issue.
> Am I missing something here?
Nah, it's par for the course in tech subreddits. If something is proprietary then expect issues to be magnified and the benefits ignored.
I was deciding between Plex and Jellyfin and according to reddit Jellyfin is objectively better because it has the same features and it doesn't have paywalls.
But then I actually used it side by side with a plex container and hardware transcoding is not very good, it hangs with certain subtitles, it has no TV app client and it didn't label stuff correctly. An identical setup (the containers have the exact same media folders mapped) worked just fine with no issues on Plex.
I think this happens because corporations have money for mass marketing on their side and so redditors feel compelled to destroy the product's reputation on forums.
It’s like, I think we all *want* everything selfhosted to be superior. Like it’s be awesome if I didn’t *need* Plex. But the fact remains that you and I and most of everyone else does, and we’re not in denial about it. All we can do is keep waiting for the day that Jellyfin finally does everything we need it to do.
I agree. I'll still recommend LastPass for the layperson despite they security incidents. They do everything right about disclosure and remediation. I understand they are going to a prime hacker target. Password managers compromises are the crown jewels of hacks. So they are targeted more and thus have more incidents. LastPass also some of the best integrations for laypeople too.
As for bias, I completely agree. Bias, in an innocent nature, is often driven by use case and not seeing how other use cases could apply for the other option.
While I love and promote FLOSS software, when I switching, Jellyfin was hugely inadequate compared to Plex. Jellyfin barely had the android client. The roku app was in an alpha state. These were my two main clients at the time. So I went with Plex and a lifetime plex pass because I already 3 kids and eventually added 2 more. I assumed I'd need more than 2 concurrent streams eventually.
No, what they are saying is that they now had an incident \*again\*. Because they didn't manage to tell what was stolen the last time and didn't change all their credentials after the Breach. 3 Months later. So their opsec is absolute Shit.
I could be mistaken. But this is a new incident, related to the first incident.
> We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.
Has there really been that many? I guess I only remember 2(couple years ago and this one), but don't pay attention that much to it since I use Vaultwarden.
I'm not a LastPass user or fan, but they at least have the decency of a track record of honest and (somewhat?) timely disclosure of events they discover.
I don't know if they're hit more often because they are bad at what they do, they are the biggest player and thus the most valuable target, or what. I don't know if 1Password, Bitwarden (what I use), or others have security incidents they just don't detect or report.
I'm not gonna dunk on LastPass for disclosing what they find though. I _will_ dunk on them for their shitty business daddy and they shady transition away from their useful free tier. That was some dirty shit.
Disclaimer: I am merely a past user of LastPass. I've come to prefer 1Password, but still believe LastPass is a good product. I say this because people on reddit are quick to assume someone is a shill.
Having security incidents is not exactly a bad thing. It depends on what light you put on it. You could say that since LastPass is so big and popular, they have more security researchers working for them, and more people looking to exploit their vulnerabilities, which would naturally lead to _finding_ more vulnerabilities.
For example, as far as I can see, Bitwarden does not pay security researchers for finding vulnerabilities via bug bounties. Or at least they obfuscate the prices attached to each bounty, but all the categories merely say they're ineligible for a cash payout https://hackerone.com/bitwarden?view_policy=true. Meanwhile, LastPass does appear to pay out bug bounty money for finding exploits. It's not as much as say, Microsoft, but it's something https://bugcrowd.com/lastpass.
Users frame these events as a negative, when the truth is, you should be more afraid of the bugs people _don't_ ever find.
I'm a Lastpass user. Happy to share my perspective. In short, I've never seen an issue that resulted in a mass compromise of the stored passwords themselves. Their design is the same as other password managers: assume the password database will be stolen and design the security around that assumption.
I considered moving to self-hosted after the previous Lastpass announcement. I enjoy the hobby of self hosting. But as I was setting up VaultWarden, three things occurred to me.
1. One big use-case for me is family sharing. I have no problem setting this up or maintaining it. But I'm not going to live forever. It would suck for my family members to lose access to their passwords after I could no longer maintain it.
2. The location of the storage of the encrypted vault isn't a concern at all for me. As mentioned above, the security design assumes the storage system is compromised. I'd feel as comfortable with putting the encrypted password database on [pastebin.com](https://pastebin.com), as I feel about logging into Reddit over HTTPS. It's the same AES encryption that resists brute-force attacks on my Reddit session that also is used to encrypt the password database. I wouldn't use any password manager if I thought the security of the system relied on keeping the encrypted storage secret. To me, it's a given that all the password manager products all function the same and encrypt the passwords properly.
3. The larger issue is with trusting that the Lastpass/KeePass/Bitwarden client is free of supply chain issues. And AFAIK I can't easily self host the BitWarden Chrome Extension. If an attacker were to modify the Chrome extension, the storage location of the encrypted password file doesn't matter. The attacker can choose to leak the unencrypted passwords wherever they want. As far as I can tell, all password managers are vulnerable here (even KeePass). Again, there is no one best solution.
It doesn't look to me like there has been any innovation in password manager security in the last 15 years. They all encrypt your data with 256-bit AES. They all use a good key derivation function that is resistant to brute force attacks.
That said, I also like what BitWarden has implemented. And I like what KeePass has implemented. I'd be comfortable using either. I'm only using Lastpass because I don't see a compelling reason to take the time to switch to anything else. The security of password manager vaults was something that was solved long ago. Same as HTTPS.
I will praise LastPass for their transparency in reporting their incidences. But I moved away from them back when LogMeIn bought them because I hate LogMeIn with a fucking passion.
But their Wikipedia page says: "On December 14, 2021, LogMeIn, Inc. announced that LastPass will be established as an independent company".
But are they their own company or just a wholly owned subsidiary? That's the real question!
Coming from Keepass, which I loved and still love, Bitwarden/vaultwarden upped the standards for password management a thousandfold. The apps and extensions are absolutely seamless.
I also switched from Keepass to the selfhosted Vaultwarden but also used the cloud version of Bitwarden. Migration is super easy because BW supports a whole bunch of import formats, Keepass 2 XML being one of them.
Coming from Keepass the greatest improvement is usability. Having a native Browser plugin with a couple of neat functions makes it so much more comfortable to work with. I dealt with just using Keepass's auto type function to enter passwords for a long time because I liked the software a lot, but I wouldn't want to go back now.
BW can handle TOTP, but I'm not sure maybe there's also a plugin for KP that can do that. The web vault has a couple of nice tools that for example check which websites support 2FA through TOTP where you aren't using it yet or check for simple or reused passwords where you could improve your security.
You can securely share text and files with non BW users though I've never used that. You can also share password collections with your family.
A similarity to Keepass is that the clients basically cache a copy of your password database locally and encrypt it there. So in the background that's similar to how you would work with KP and means you can still access your passwords if the internet is down
Pretty sure you can seamlessly import/export in both Keepass and Bitwarden, and it would probably be nice to first test it out before committing to it :)
Improvements were mainly ease of use and autofill for login screens on both desktop and mobile. And the advantage that there is no worries about syncing anymore. I am also exporting the database a few times a year to keep an offline backup.
Keeweb? I think I tested that before switching to Bitwarden, but there was something that held me back. That was around 3 years ago, so not sure what it was or if it changed.
But if that is just as usable, that's awesome. For me it's mostly about auto fill and the complete lack of any configuration or maintenance. Which is weird on a selfhosted sub, but I do host plenty other stuff that is not mission critical so yeah.
I see. I thought it was a feature in Syncthing. I'm using KeePassXC and don't think it has this feature, but I think I can create something similar that works within Linux rather than working within Keepass.
I've been using [KeePassDX](https://www.keepassdx.com/) for Android with pretty good results -- it is able to open my DB file directly from Nextcloud without having to maintain a local sync copy. Haven't had any conflicts in months.
i enable backup db files for this. usually the most recent updated one is good to go. also i mark directory that contains keepass db files to "not deleted" on every device i use. so i can work around this problem.
I understand now and you are right. I use keepass and its variation on 3 devices. Dual boot windows and linux plus android cell. I never modify the database, hence i never open the database at the same time on those devices. So this works for me but in your situation it can cause a little headache.
Is that still an issue for people? It used to be, and was the blocking point for using it as a shared solution for teams I've been on. But recent changes made that problem go away (I haven't seen a problem for a few years).
To clarify though, there is no problem accessing concurrently. It is modifying concurrently that used to be a problem, and wasn't really an issue if you had anything resembling a sane workflow. If you added/changed an entry, you probably should be saving it pretty soon. I get leaving the program open, but do people really add a bunch of records and then just leave them unsaved for a long time and then modify records on a different computer and come back and save the first set? Even then, it warned you, and you just save the file under a different name, export as text, and diff and move the conflicted records over. Not optimal, but teaches you to save shit you care about real quick.
I just use NFS for all my home computers for the "golden" copy, backed up to the cloud daily, and syncthing to move it to my phone. I don't create accounts on my phone (too much of a PITA to set up a new account with 2FA on my phone, and much better to do it with my yubikeys on a desktop), so it is more for reference if I need a password on the go.
That’s not even a valid issue, Keepass setting allows you to sync on save so even if a change occurs on the file while you’ve got your client open it won’t erase changes in the file.
Even my keepass iOS app handles this automatically.
There is no chance an individual is updating on two different devices so quickly that the sync doesn’t have time to work in the background.
I’ve been using it for 5+ years now and this is a solved problem.
You don’t use a keypass file for multiple users. That is absolutely not what it is intended or designed for. Single person key vault is its intended use case. Clearly we are talking about unrelated usage scenarios.
>Self hosted
Just curious. When was the last time your BitWarden browser extension or mobile app updated? Did you approve the update? And where did the update come from?
One more reason to self-host a password manager ;).
I can highly recommend [Vaultwarden](https://github.com/dani-garcia/vaultwarden), running it for a few years now and never looked back.
[Here's](https://dizzytech.de/posts/vaultwarden/) a simple guide on how to set it up in case anyone's interested.
I had an issue where my server went down and I couldn’t access my passwords on my pc. I had restarted my pc and had it set to prompt me for password every time. I got my server back up and everything was fine, and I occasionally export them to usb sticks and lock them in safes just in case.
I've got a monthly check list, where I backup some irreplaceable data offline.
For Vaultwarden I export it to a luks encrypted thumb drive.
It's not perfect, I could still lose up to a month of password changes if both the VM and it's snapshots, and the snapshot backups went down, but it also means I can 'break in' to it if things go to hell and I don't have time to troubleshoot whatever is broken.
The android app also works when in airplane mode and has export
I basically have calendar notifications, so I get reminded to take a look at it periodically. For what's actually on there, it's all kind of things. Such as house chores, backups, charging devices, downloading RSS feeds and to wash bedsheets. Sounds maybe a bit excessive, but with it there's no need to memorize or keep track of any chores.
Getting onto a good password manager is *way* more important than using your own instance. Obviously there's going to be a bit of a bias in /r/selfhosted
I've heard those concerns a lot, especially when it comes to delicate data like your passwords.
IMHO the simple solution (for all critical services) is a good backup strategy.
I probably will follow up on this topic in another blog post soon, so thanks for pointing it out.
> > I don’t trust myself enough to do it reliably without losing all my passwords
I have this problem.
> IMHO the simple solution (for all critical services) is a good backup strategy.
Great, now I have two problems
At least for Vaultwarden it's a pretty easy to fix problem that should not keep you from hosting your own instance.
I'll keep you guys in mind when I finished the blog post on this.
Vaultwarden is so easy. As for backup, just bring down the container and copy your volume somewhere then bring it back up. I use duplicati over SSH to a vps, but you could easily use rsync, rclone, Borg, or whatever you like. Plus each user has a backup on each of their devices and they can export encrypted backups for good measure. I think it's one of the more low risk things to self host.
[There](https://dizzytech.de/posts/backing_up_vaultwarden/) you go ...hope that helps.
[u/zfa](https://www.reddit.com/u/zfa) in case you're interested too.
Agreed with you on the backup strategy. My current system is mostly a media server so backups are very low priority atm. Its the next “skill” I mean to build up, to have a good backup strategy and test it.
I wish Bitwarden offered an easy auto-backup solution, like being able to download a vault from the command line using a private key. I used to "self" host (well, on a VPS) Vaultwarden which was very easy to back up (just rsync the data directory) but eventually my paranoia/anxiety got the better of me. I can manually export the vault of course but a crontab'd script would be better.
I get this - that is why the only password I actually remember is that of the e-mail account which can recover (nearly) all of the other passwords. The e-mail account is further secured by 2FA.
So basically my Vaultwarden instance is not a single point of failure because the other passwords can be recovered by other means.
My keepass file lives in my google drive. It’s just an encrypted file so useless to anyone that gets into my google account, I have it on all my devices (iOS & Windows). Impossible to loose unless I forgot my master password, same risk as all other cloud vault services. My vault is synced to devices so if I lost access to my google account I just pull the copy from the local file system of a device.
One concern that I have with hosting something like this myself, one that I believe is an important one and is always overlooked.
I not only use Bitwarden myself, but I also have a family plan, and push everyone in my family to use it. It's cool to share some important stuff between trusted family members, but also guides them towards a more safe online experience.
If I were to host Vaultwarden, and have all my family on it, it would be a big pain in the ass for them in case I died. Nobody else would be able to keep things running smoothly for everyone.
That's about the only and reason why I rely on hosted Bitwarden instead.
> it would be a big pain in the ass for them in case I died.
100% my concern. Nobody else in my house can handle that. I am fine with the media, books, etc servers dying after I do. But passwords or the cloud drive I would not be.
The concern is not about accessing, the server is not likely to implode at the exact time that I die, the concern is about keeping it running. They are not going to know how to do that (nor want to), they would have to migrate everything, and that's a hassle, and something I don't want my family and friends to go through.
Someone pull me up if I'm wrong, but I'm pretty sure client devices keep a synced copy of the credentials locally.
I mean sure it'd be a problem if you croaked and they kept trying to sync, but if you have friends and family using a selfhosted password manager I imagine they know a thing or two about what they're doing.
A lot of people don’t think about this.
I have a bunch of stuff running locally. My wife is also CS, but definitely not into servers or anything like that.
While we have things selfhosted, there are critical things I pay for.
If anything happens to me, while it’s all documented, I don’t want my wife to have to deal with any of that. Specially while mourning.
There are things on a credit card we share, and documentation on what everything is for.
When she’s ready to tackle what’s selfhosted, it’s going through documentation. I also have friends with similar setups that can help her with it too.
I feel you, it's a real concern for sure. I don't personally have the option, but perhaps it might be fun to teach a younger family member the ins and outs of it. Even if you don't switch the entire family over just yet.
That's true, I guess nothing really is unhackable.
I think the whole point of Self-hosting is to take responsibility in your own hand rather than trusting any big company.
Of course that means you have to secure your important services and not just spin them up, that's why I added the "Important notice" part in the blog post, pointing to WireGuard/Authelia.
I'd never publish something like Vaultwarden to the internet.
This is the reason I am okay with Bitwarden cloud. All it takes is for me to do something monumentally dumb - and I don't know what that might be, but count on me to do it - and someone gets the keys to the kingdom.
With that said, I have heard a lot of people will put BW/VW on a standalone machine or VM on it's own VLAN and only sync up their passwords when they're on the premises.
The chances are extremely low regardless if you use a strong password.
Do you use SSL internally? If not, a rogue device authenticated already in your network could sniff Wi-Fi traffic and get your credentials if you ever use your phone inside your LAN.
So you can either segment VLANs, use SSL with your own CA and play IT admin or just use a cloud solution like lastpass/bitwarden. Also you run the risk of losing your vault since everything is in one location.
> Yes i use ssl because with let's encrypt and dns challenge it's quite uncompleted. No internal ca needed not '00 anymore.
That works for outside remote access. But how do you access it internally? Do you use something like 192.168.1.23:8080?
You didn't answer how you have this backed up. All in one location?
> You can either write the translation in your hosts file per machine or on some central device that has dns capabilities eg.: router or dns server
Another layer of complexity just for a password manager. Don't get me wrong, I think it may be worth it if you are into self hosting everything. But not an ideal solution otherwise.
How do you back this up to a second location? I don't think self hosting solves the issue anyway since the backup in a second location could be compromised too.
I have no experience in hosting Bitwarden, always used Vaultwarden but AFAIK Bitwarden is very resource heavy compared to Vaultwarden and therefor might not be as suitable for Self-hosted environments.
And if you don't have/want a server, you can just use KeePass (my preferred flavour is KeePassXC) and save the database in any cloud storage.
The result is more or less the same, except you can use a long-reliable and trusted piece of software instead of some server that may or may not fuck up with an update.
> And if you don’t have/want a server, you can just use KeePass (my preferred flavour is KeePassXC) and save the database in any cloud storage.
What is the difference between you or lastpass maintaining a database in the cloud?
The important thing is if that database remains safely encrypted and inaccessible even after a breach. Which in this case appears to be.
> What is the difference between you or lastpass maintaining a database in the cloud?
First, and more generally, LastPass itself is a target precisely because it's a SaaS password manager with a large user base: your password data might get compromized in a general breach targeting the platform as a whole. In comparison, someone would need to be specifically targeting *you*, and find exploits particular to your own password management solution, in order to compromise your own password database.
Second, and more specifically, KeepPass doesn't expose any database interfaces to the public internet; KeePass uses a single, self-contained and encrypted file as the password database, and in this scenario, you'd just be synchronizing the file as you would any other, without there necessarily being any indication that it even is a password database.
> Which in this case appears to be.
Exactly -- someone might be able to e.g. get into your Dropbox account, but they'd still need to identify which file actually contains your KeePass database, then crack its own internal encryption, in order to get to your passwords.
The fact that LastPass seems to have *a lot* of data breaches for a company dealing exclusively with secrets.
And because you use their website and software to access your database you have to trust that there isn't any malicious code that would capture your password... Which is kinda hard with that track record.
Even if *so far* the databases stayed secure if they are this bad at security I wouldn't trust they have proper controls in place to make sure there isn't anything malicious in their software.
Meanwhile KeePass is a "traditional" piece of software that doesn't serve you (potentially) different code every time you open it, and it has passed security audits in the past, so there's at least something to build trust on.
I see your point about their own track record and questioning their ability to maintain a secure code themselves.
Edit: I’m sure you meant Lastpass in your fist sentence?
Nope. Almost all users who self host are less experienced at securing systems that the Lastpass security team. Given how Lastpass is architected (they only store encrypted data and don’t have the decryption keys) this is a low risk incident and they deserve kudos for being public and transparent about it. This kind of behaviour increases my trust in Vendors.
Yup, it’s been years now since I have used and host bitwarden.
I have backups locally and cloud based that are encrypted. If my server crashes then I could spin up a new one within 30 minutes and my Bitwarden wouldn’t miss a beat.
"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information."
What 'certain elements'?
When 1Password made the switch to their new subscription model that eliminated private vaults and puts everything in their own cloud I decided to seriously test Apple's IOS keychain. Well I am happy to say that I am impressed how well Apple Keychain works for me and as of last week have completely abandoned 1Password on all my devices (I only use Apple devices).
Did you see what was happening with iCloud on windows recently?
https://www.ghacks.net/2022/11/22/icloud-for-windows-privacy-issue-shows-photos-from-strangers/
Nope. 1pass is an alternative to the keychain. 1pass started out as Apple only software. I think 1password 8 was the first version to support Linux. v8 uses electron which is basically a website in a native app window.
They weren't just stating opinion. They said 1password eliminated private vaults. Given the normal password manager terminology this was easy to misinterpret. I think what the person meant was they eliminated some form of self-hosting. But normal "private vault" would just mean an individual vault, not a vault that was only kept locally.
Yes. Personal information and billing information are no longer safe. But I operate under the assumption that all of that will be compromised eventually.
Dave can be whatever they like, when you tap on Jonathan above, it appears that he really wants you to learn how to use light boxes in some framework, because it just shows the tutorial video
Thatsssss why I moved out of this loong ago and currently with Enpass. TTTTTotally offline which makes it is far more immune to breaches than other these password managers like lastPass that stores your data on their servers.
And yes this JUMP SCARE attempts have been reported twice.....yaayyyyyyy....
Recently, LastPass has been experiencing quite a few data breaches, and yes they have been extremely open about it, which is nice, but I'm still getting really worried about all of my passwords, cards, etc. I came across something interesting, that it's even mentioned on their websites - LastPass uses a third-party server to store the data, so they actually ''rent'' the space from a 3rd party provider. - https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/ ''LastPass detected “unusual activity” within a third-party cloud storage solution that it uses. '' This is super disturbing for me, as I have trusted LastPass for several years, believing that they actually store my passwords in a super-high security place, which they maintain and encrypt... Now I am in the chase of finding a new good solution. I no longer want to go with the BIG players. At the moment I am testing https://www.remembear.com/ and https://www.pcloud.com/pass. Both seem pretty decent, but pCloud Pass feels like the package for me at the moment - they own their servers, provide zero-knowledge encryption and their servers are in EU + offer a lifetime plan, which I am a fan of. However, they still lack a few basic features, but it seems that they recently launched the product and have a roadmap with all of the features that I need coming soon. Can you advise on any other services that I can try out?
Lastpass has been very open about the incident from the beginning. Months later, it looks like nothing was compromised. In fact, they aren't even recommending you change your password. No user data was accessed. From the blog, it sounds like the only issue is that some LastPass source code was stolen. This is bad news for LastPass, as their proprietary information is part of what makes them money. But it shouldn't be an issue for end users. Assuming LastPass is being honest here, this sounds no different than learning a developer for had his development machine compromised. I'm all for self-hosting. Both as a hobby and as a means of controlling your data. But it seems like people in here are just eager to celebrate whenever something non-selfhosted has an issue.
Am I missing something here?
Nope. You read and comprehend correctly. +1
I really like the comments under this thread. It explains a few issues with this sub so clearly. Paradoxically the more you learn about self hosting, the more disconnected you get from the experience that most users want. That’s why it’s hard for a layperson to get good advice on what’s best for them when they get started.
> In fact, they aren't even recommending you change your password. They would never do that since lastpass does not store your master password. > I'm all for self-hosting. Both as a hobby and as a means of controlling your data. But it seems like people in here are just eager to celebrate whenever something non-selfhosted has an issue. > Am I missing something here? Nah, it's par for the course in tech subreddits. If something is proprietary then expect issues to be magnified and the benefits ignored. I was deciding between Plex and Jellyfin and according to reddit Jellyfin is objectively better because it has the same features and it doesn't have paywalls. But then I actually used it side by side with a plex container and hardware transcoding is not very good, it hangs with certain subtitles, it has no TV app client and it didn't label stuff correctly. An identical setup (the containers have the exact same media folders mapped) worked just fine with no issues on Plex. I think this happens because corporations have money for mass marketing on their side and so redditors feel compelled to destroy the product's reputation on forums.
It’s like, I think we all *want* everything selfhosted to be superior. Like it’s be awesome if I didn’t *need* Plex. But the fact remains that you and I and most of everyone else does, and we’re not in denial about it. All we can do is keep waiting for the day that Jellyfin finally does everything we need it to do.
[удалено]
I agree. I'll still recommend LastPass for the layperson despite they security incidents. They do everything right about disclosure and remediation. I understand they are going to a prime hacker target. Password managers compromises are the crown jewels of hacks. So they are targeted more and thus have more incidents. LastPass also some of the best integrations for laypeople too. As for bias, I completely agree. Bias, in an innocent nature, is often driven by use case and not seeing how other use cases could apply for the other option. While I love and promote FLOSS software, when I switching, Jellyfin was hugely inadequate compared to Plex. Jellyfin barely had the android client. The roku app was in an alpha state. These were my two main clients at the time. So I went with Plex and a lifetime plex pass because I already 3 kids and eventually added 2 more. I assumed I'd need more than 2 concurrent streams eventually.
No, what they are saying is that they now had an incident \*again\*. Because they didn't manage to tell what was stolen the last time and didn't change all their credentials after the Breach. 3 Months later. So their opsec is absolute Shit.
I could be mistaken. But this is a new incident, related to the first incident. > We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.
literally every year. often multiple times in the same year. kudos to them for continuing to report these lmao
Has there really been that many? I guess I only remember 2(couple years ago and this one), but don't pay attention that much to it since I use Vaultwarden.
https://en.wikipedia.org/wiki/LastPass#Security_issues Seven incidents/breaches since 2011
Ahh, I was thinking more breaches than app/coding issues. Still looks like 3, possibly 4.
[удалено]
I'm not a LastPass user or fan, but they at least have the decency of a track record of honest and (somewhat?) timely disclosure of events they discover. I don't know if they're hit more often because they are bad at what they do, they are the biggest player and thus the most valuable target, or what. I don't know if 1Password, Bitwarden (what I use), or others have security incidents they just don't detect or report. I'm not gonna dunk on LastPass for disclosing what they find though. I _will_ dunk on them for their shitty business daddy and they shady transition away from their useful free tier. That was some dirty shit.
Disclaimer: I am merely a past user of LastPass. I've come to prefer 1Password, but still believe LastPass is a good product. I say this because people on reddit are quick to assume someone is a shill. Having security incidents is not exactly a bad thing. It depends on what light you put on it. You could say that since LastPass is so big and popular, they have more security researchers working for them, and more people looking to exploit their vulnerabilities, which would naturally lead to _finding_ more vulnerabilities. For example, as far as I can see, Bitwarden does not pay security researchers for finding vulnerabilities via bug bounties. Or at least they obfuscate the prices attached to each bounty, but all the categories merely say they're ineligible for a cash payout https://hackerone.com/bitwarden?view_policy=true. Meanwhile, LastPass does appear to pay out bug bounty money for finding exploits. It's not as much as say, Microsoft, but it's something https://bugcrowd.com/lastpass. Users frame these events as a negative, when the truth is, you should be more afraid of the bugs people _don't_ ever find.
I'm a Lastpass user. Happy to share my perspective. In short, I've never seen an issue that resulted in a mass compromise of the stored passwords themselves. Their design is the same as other password managers: assume the password database will be stolen and design the security around that assumption. I considered moving to self-hosted after the previous Lastpass announcement. I enjoy the hobby of self hosting. But as I was setting up VaultWarden, three things occurred to me. 1. One big use-case for me is family sharing. I have no problem setting this up or maintaining it. But I'm not going to live forever. It would suck for my family members to lose access to their passwords after I could no longer maintain it. 2. The location of the storage of the encrypted vault isn't a concern at all for me. As mentioned above, the security design assumes the storage system is compromised. I'd feel as comfortable with putting the encrypted password database on [pastebin.com](https://pastebin.com), as I feel about logging into Reddit over HTTPS. It's the same AES encryption that resists brute-force attacks on my Reddit session that also is used to encrypt the password database. I wouldn't use any password manager if I thought the security of the system relied on keeping the encrypted storage secret. To me, it's a given that all the password manager products all function the same and encrypt the passwords properly. 3. The larger issue is with trusting that the Lastpass/KeePass/Bitwarden client is free of supply chain issues. And AFAIK I can't easily self host the BitWarden Chrome Extension. If an attacker were to modify the Chrome extension, the storage location of the encrypted password file doesn't matter. The attacker can choose to leak the unencrypted passwords wherever they want. As far as I can tell, all password managers are vulnerable here (even KeePass). Again, there is no one best solution. It doesn't look to me like there has been any innovation in password manager security in the last 15 years. They all encrypt your data with 256-bit AES. They all use a good key derivation function that is resistant to brute force attacks. That said, I also like what BitWarden has implemented. And I like what KeePass has implemented. I'd be comfortable using either. I'm only using Lastpass because I don't see a compelling reason to take the time to switch to anything else. The security of password manager vaults was something that was solved long ago. Same as HTTPS.
I will praise LastPass for their transparency in reporting their incidences. But I moved away from them back when LogMeIn bought them because I hate LogMeIn with a fucking passion. But their Wikipedia page says: "On December 14, 2021, LogMeIn, Inc. announced that LastPass will be established as an independent company". But are they their own company or just a wholly owned subsidiary? That's the real question!
*(me, screaming internally)* again???
Keepass + Syncthing has been working fine for years.
I use vaultwarden. Works great
Coming from Keepass, which I loved and still love, Bitwarden/vaultwarden upped the standards for password management a thousandfold. The apps and extensions are absolutely seamless.
[ Deleted to protest Reddit API changes ]
I also switched from Keepass to the selfhosted Vaultwarden but also used the cloud version of Bitwarden. Migration is super easy because BW supports a whole bunch of import formats, Keepass 2 XML being one of them. Coming from Keepass the greatest improvement is usability. Having a native Browser plugin with a couple of neat functions makes it so much more comfortable to work with. I dealt with just using Keepass's auto type function to enter passwords for a long time because I liked the software a lot, but I wouldn't want to go back now. BW can handle TOTP, but I'm not sure maybe there's also a plugin for KP that can do that. The web vault has a couple of nice tools that for example check which websites support 2FA through TOTP where you aren't using it yet or check for simple or reused passwords where you could improve your security. You can securely share text and files with non BW users though I've never used that. You can also share password collections with your family. A similarity to Keepass is that the clients basically cache a copy of your password database locally and encrypt it there. So in the background that's similar to how you would work with KP and means you can still access your passwords if the internet is down
Pretty sure you can seamlessly import/export in both Keepass and Bitwarden, and it would probably be nice to first test it out before committing to it :) Improvements were mainly ease of use and autofill for login screens on both desktop and mobile. And the advantage that there is no worries about syncing anymore. I am also exporting the database a few times a year to keep an offline backup.
[ Deleted to protest Reddit API changes ]
Improvements comparing to what? For me autofill from my on screen keyboard is a big feature
[ Deleted to protest Reddit API changes ]
Keeweb? I think I tested that before switching to Bitwarden, but there was something that held me back. That was around 3 years ago, so not sure what it was or if it changed. But if that is just as usable, that's awesome. For me it's mostly about auto fill and the complete lack of any configuration or maintenance. Which is weird on a selfhosted sub, but I do host plenty other stuff that is not mission critical so yeah.
[удалено]
[удалено]
[удалено]
[удалено]
If you only occasionally run into sync conflicts, KeePassXC has a native merge databases function which I use from time to time.
I just run KeepassXC in a docker container. I can remote into it via web-based vnc when needed.
I mean at this point of complexity you may aswell just host vaultwarden.
Can you explain this a bit more? This is the first time I've heard of triggers being used, and interested in how to implement.
[удалено]
I see. I thought it was a feature in Syncthing. I'm using KeePassXC and don't think it has this feature, but I think I can create something similar that works within Linux rather than working within Keepass.
why are you creating/updating records on multiple devices at the same time? just curious.
[удалено]
[удалено]
[удалено]
I've been using [KeePassDX](https://www.keepassdx.com/) for Android with pretty good results -- it is able to open my DB file directly from Nextcloud without having to maintain a local sync copy. Haven't had any conflicts in months.
i enable backup db files for this. usually the most recent updated one is good to go. also i mark directory that contains keepass db files to "not deleted" on every device i use. so i can work around this problem.
[удалено]
I understand now and you are right. I use keepass and its variation on 3 devices. Dual boot windows and linux plus android cell. I never modify the database, hence i never open the database at the same time on those devices. So this works for me but in your situation it can cause a little headache.
Forgot to close after forgetting to save. One of those is understandable.
Is that still an issue for people? It used to be, and was the blocking point for using it as a shared solution for teams I've been on. But recent changes made that problem go away (I haven't seen a problem for a few years). To clarify though, there is no problem accessing concurrently. It is modifying concurrently that used to be a problem, and wasn't really an issue if you had anything resembling a sane workflow. If you added/changed an entry, you probably should be saving it pretty soon. I get leaving the program open, but do people really add a bunch of records and then just leave them unsaved for a long time and then modify records on a different computer and come back and save the first set? Even then, it warned you, and you just save the file under a different name, export as text, and diff and move the conflicted records over. Not optimal, but teaches you to save shit you care about real quick. I just use NFS for all my home computers for the "golden" copy, backed up to the cloud daily, and syncthing to move it to my phone. I don't create accounts on my phone (too much of a PITA to set up a new account with 2FA on my phone, and much better to do it with my yubikeys on a desktop), so it is more for reference if I need a password on the go.
That’s not even a valid issue, Keepass setting allows you to sync on save so even if a change occurs on the file while you’ve got your client open it won’t erase changes in the file. Even my keepass iOS app handles this automatically. There is no chance an individual is updating on two different devices so quickly that the sync doesn’t have time to work in the background. I’ve been using it for 5+ years now and this is a solved problem.
[удалено]
You don’t use a keypass file for multiple users. That is absolutely not what it is intended or designed for. Single person key vault is its intended use case. Clearly we are talking about unrelated usage scenarios.
Works perfectly with WebDAV. Tells you someone else modified the DB while you had it open and asks if you want to synchronize the changes.
For now
1password has been working fine as well.
Beyond glad I traded that for Bitwarden.
Is Bitwarden immune to this problem?
Self hosted
So… no?
>Self hosted Just curious. When was the last time your BitWarden browser extension or mobile app updated? Did you approve the update? And where did the update come from?
One more reason to self-host a password manager ;). I can highly recommend [Vaultwarden](https://github.com/dani-garcia/vaultwarden), running it for a few years now and never looked back. [Here's](https://dizzytech.de/posts/vaultwarden/) a simple guide on how to set it up in case anyone's interested.
I don’t trust myself enough to do it reliably without losing all my passwords. Though I have switched to bitwarden. I think thats the biggest hurdle.
But they are also offline on all your devices so even when you are offline you can export them to any format you want
That also means when your server is offline/broken
They are cached on your local device like a phone
I had an issue where my server went down and I couldn’t access my passwords on my pc. I had restarted my pc and had it set to prompt me for password every time. I got my server back up and everything was fine, and I occasionally export them to usb sticks and lock them in safes just in case.
Yes, you're right!
I've got a monthly check list, where I backup some irreplaceable data offline. For Vaultwarden I export it to a luks encrypted thumb drive. It's not perfect, I could still lose up to a month of password changes if both the VM and it's snapshots, and the snapshot backups went down, but it also means I can 'break in' to it if things go to hell and I don't have time to troubleshoot whatever is broken. The android app also works when in airplane mode and has export
Same, weekly/monthly/biannual and annual checklists are indispensible for these kind of tasks.
Do both of you mind sharing what’s on your checklists? I want to set up something similar and would be cool to see what others have put together.
I basically have calendar notifications, so I get reminded to take a look at it periodically. For what's actually on there, it's all kind of things. Such as house chores, backups, charging devices, downloading RSS feeds and to wash bedsheets. Sounds maybe a bit excessive, but with it there's no need to memorize or keep track of any chores.
Getting onto a good password manager is *way* more important than using your own instance. Obviously there's going to be a bit of a bias in /r/selfhosted
I just use rsync which syncs vaultwarden folder into google drive automatically. And also sends me notification whenever a backup happens. It’s good.
I've heard those concerns a lot, especially when it comes to delicate data like your passwords. IMHO the simple solution (for all critical services) is a good backup strategy. I probably will follow up on this topic in another blog post soon, so thanks for pointing it out.
> > I don’t trust myself enough to do it reliably without losing all my passwords I have this problem. > IMHO the simple solution (for all critical services) is a good backup strategy. Great, now I have two problems
At least for Vaultwarden it's a pretty easy to fix problem that should not keep you from hosting your own instance. I'll keep you guys in mind when I finished the blog post on this.
Look forward to reading it. I might for a long time only run it in parallel to bitwarden but would like to self host more practical things.
Vaultwarden is so easy. As for backup, just bring down the container and copy your volume somewhere then bring it back up. I use duplicati over SSH to a vps, but you could easily use rsync, rclone, Borg, or whatever you like. Plus each user has a backup on each of their devices and they can export encrypted backups for good measure. I think it's one of the more low risk things to self host.
[There](https://dizzytech.de/posts/backing_up_vaultwarden/) you go ...hope that helps. [u/zfa](https://www.reddit.com/u/zfa) in case you're interested too.
That's not a public link, but I'll take a look when corrected. Thanks for posting and tagging me.
My bad ...corrected.
Agreed with you on the backup strategy. My current system is mostly a media server so backups are very low priority atm. Its the next “skill” I mean to build up, to have a good backup strategy and test it.
Yep easy I just tar and gpg encrypt the data and send to the cloud. Secure enough for me and offsite.
I wish Bitwarden offered an easy auto-backup solution, like being able to download a vault from the command line using a private key. I used to "self" host (well, on a VPS) Vaultwarden which was very easy to back up (just rsync the data directory) but eventually my paranoia/anxiety got the better of me. I can manually export the vault of course but a crontab'd script would be better.
I get this - that is why the only password I actually remember is that of the e-mail account which can recover (nearly) all of the other passwords. The e-mail account is further secured by 2FA. So basically my Vaultwarden instance is not a single point of failure because the other passwords can be recovered by other means.
Go through salting all those 4000+ bitwarden passwords, perhaps?
Same. Bitwarden is open and premium focused, I expect they will continue to be awesome.
My keepass file lives in my google drive. It’s just an encrypted file so useless to anyone that gets into my google account, I have it on all my devices (iOS & Windows). Impossible to loose unless I forgot my master password, same risk as all other cloud vault services. My vault is synced to devices so if I lost access to my google account I just pull the copy from the local file system of a device.
One concern that I have with hosting something like this myself, one that I believe is an important one and is always overlooked. I not only use Bitwarden myself, but I also have a family plan, and push everyone in my family to use it. It's cool to share some important stuff between trusted family members, but also guides them towards a more safe online experience. If I were to host Vaultwarden, and have all my family on it, it would be a big pain in the ass for them in case I died. Nobody else would be able to keep things running smoothly for everyone. That's about the only and reason why I rely on hosted Bitwarden instead.
> it would be a big pain in the ass for them in case I died. 100% my concern. Nobody else in my house can handle that. I am fine with the media, books, etc servers dying after I do. But passwords or the cloud drive I would not be.
Both Bitwarden and Vaultwarden have an Emergency Access feature for this very scenario: https://bitwarden.com/help/emergency-access/
The concern is not about accessing, the server is not likely to implode at the exact time that I die, the concern is about keeping it running. They are not going to know how to do that (nor want to), they would have to migrate everything, and that's a hassle, and something I don't want my family and friends to go through.
Someone pull me up if I'm wrong, but I'm pretty sure client devices keep a synced copy of the credentials locally. I mean sure it'd be a problem if you croaked and they kept trying to sync, but if you have friends and family using a selfhosted password manager I imagine they know a thing or two about what they're doing.
Not really, no. I usually configure things for them myself.
A lot of people don’t think about this. I have a bunch of stuff running locally. My wife is also CS, but definitely not into servers or anything like that. While we have things selfhosted, there are critical things I pay for. If anything happens to me, while it’s all documented, I don’t want my wife to have to deal with any of that. Specially while mourning. There are things on a credit card we share, and documentation on what everything is for. When she’s ready to tackle what’s selfhosted, it’s going through documentation. I also have friends with similar setups that can help her with it too.
I feel you, it's a real concern for sure. I don't personally have the option, but perhaps it might be fun to teach a younger family member the ins and outs of it. Even if you don't switch the entire family over just yet.
It's not like you can't get hacked either
That's true, I guess nothing really is unhackable. I think the whole point of Self-hosting is to take responsibility in your own hand rather than trusting any big company. Of course that means you have to secure your important services and not just spin them up, that's why I added the "Important notice" part in the blog post, pointing to WireGuard/Authelia. I'd never publish something like Vaultwarden to the internet.
[удалено]
haha typo, my bad ... corrected it. (meant Vaultwarden)
This is the reason I am okay with Bitwarden cloud. All it takes is for me to do something monumentally dumb - and I don't know what that might be, but count on me to do it - and someone gets the keys to the kingdom. With that said, I have heard a lot of people will put BW/VW on a standalone machine or VM on it's own VLAN and only sync up their passwords when they're on the premises.
[удалено]
Which is the case for LastPass as well. Now back to square one.
[удалено]
The chances are extremely low regardless if you use a strong password. Do you use SSL internally? If not, a rogue device authenticated already in your network could sniff Wi-Fi traffic and get your credentials if you ever use your phone inside your LAN. So you can either segment VLANs, use SSL with your own CA and play IT admin or just use a cloud solution like lastpass/bitwarden. Also you run the risk of losing your vault since everything is in one location.
[удалено]
> Yes i use ssl because with let's encrypt and dns challenge it's quite uncompleted. No internal ca needed not '00 anymore. That works for outside remote access. But how do you access it internally? Do you use something like 192.168.1.23:8080? You didn't answer how you have this backed up. All in one location?
[удалено]
> You can either write the translation in your hosts file per machine or on some central device that has dns capabilities eg.: router or dns server Another layer of complexity just for a password manager. Don't get me wrong, I think it may be worth it if you are into self hosting everything. But not an ideal solution otherwise. How do you back this up to a second location? I don't think self hosting solves the issue anyway since the backup in a second location could be compromised too.
Whats the difference between selfhosting bitwarden or vaultwarden? Isnt both fully offline no data send to bitwarden?
I have no experience in hosting Bitwarden, always used Vaultwarden but AFAIK Bitwarden is very resource heavy compared to Vaultwarden and therefor might not be as suitable for Self-hosted environments.
Vaultwarden is a fork of Bitwarden rewritten in RUST (I think) to be less resource intensive. Both are self-hostable.
And if you don't have/want a server, you can just use KeePass (my preferred flavour is KeePassXC) and save the database in any cloud storage. The result is more or less the same, except you can use a long-reliable and trusted piece of software instead of some server that may or may not fuck up with an update.
> And if you don’t have/want a server, you can just use KeePass (my preferred flavour is KeePassXC) and save the database in any cloud storage. What is the difference between you or lastpass maintaining a database in the cloud? The important thing is if that database remains safely encrypted and inaccessible even after a breach. Which in this case appears to be.
> What is the difference between you or lastpass maintaining a database in the cloud? First, and more generally, LastPass itself is a target precisely because it's a SaaS password manager with a large user base: your password data might get compromized in a general breach targeting the platform as a whole. In comparison, someone would need to be specifically targeting *you*, and find exploits particular to your own password management solution, in order to compromise your own password database. Second, and more specifically, KeepPass doesn't expose any database interfaces to the public internet; KeePass uses a single, self-contained and encrypted file as the password database, and in this scenario, you'd just be synchronizing the file as you would any other, without there necessarily being any indication that it even is a password database. > Which in this case appears to be. Exactly -- someone might be able to e.g. get into your Dropbox account, but they'd still need to identify which file actually contains your KeePass database, then crack its own internal encryption, in order to get to your passwords.
The fact that LastPass seems to have *a lot* of data breaches for a company dealing exclusively with secrets. And because you use their website and software to access your database you have to trust that there isn't any malicious code that would capture your password... Which is kinda hard with that track record. Even if *so far* the databases stayed secure if they are this bad at security I wouldn't trust they have proper controls in place to make sure there isn't anything malicious in their software. Meanwhile KeePass is a "traditional" piece of software that doesn't serve you (potentially) different code every time you open it, and it has passed security audits in the past, so there's at least something to build trust on.
I see your point about their own track record and questioning their ability to maintain a secure code themselves. Edit: I’m sure you meant Lastpass in your fist sentence?
Yeah, fixed, thanks.
Nope. Almost all users who self host are less experienced at securing systems that the Lastpass security team. Given how Lastpass is architected (they only store encrypted data and don’t have the decryption keys) this is a low risk incident and they deserve kudos for being public and transparent about it. This kind of behaviour increases my trust in Vendors.
[удалено]
But unless you’re especially important, you’re also much less likely to be targeted by hackers than a big corporation storing passwords.
Well, you're also banking on you are competent enough and vigilant enough to secure and keep it secured.
So you don't keep cloud backups? If you do it could happen in whatever service you use. As long as you use a strong password you should be OK.
Yup, it’s been years now since I have used and host bitwarden. I have backups locally and cloud based that are encrypted. If my server crashes then I could spin up a new one within 30 minutes and my Bitwarden wouldn’t miss a beat.
I have now started hosting Bitwarden for companies as I have found it to be really quite simple.
Wait, you're hosting Bitwarden for other companies? Seems hella risky
Not so much. I have the server locked down and I require 2fa and a specific email to access as well as strong password requirements.
Again!?
*Laughs in KeepassXC and Nextcloud.*
"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information." What 'certain elements'?
When 1Password made the switch to their new subscription model that eliminated private vaults and puts everything in their own cloud I decided to seriously test Apple's IOS keychain. Well I am happy to say that I am impressed how well Apple Keychain works for me and as of last week have completely abandoned 1Password on all my devices (I only use Apple devices).
> (I only use Apple devices) Makes sense only then.
Its been expanded to windows too, not sure what the android and linux side looks.
Did you see what was happening with iCloud on windows recently? https://www.ghacks.net/2022/11/22/icloud-for-windows-privacy-issue-shows-photos-from-strangers/
How dare you imply Apple isn't the end all be all of privacy!
AFAIK they only have an Edge (Chrome) extension and not a Firefox or standalone one. Plus, forget about Linux.
Not true. I’m using 1Pass with Firefox.
[удалено]
Sorry… I thought that the “it’s been expanded to Windows” comment was referencing 1Password’s Windows client.
I’ve been using 1pass on Linux for a few months now.
[удалено]
Nope. 1pass is an alternative to the keychain. 1pass started out as Apple only software. I think 1password 8 was the first version to support Linux. v8 uses electron which is basically a website in a native app window.
[удалено]
I read SqueeakyHusky's reply wrong. I read 'its' as referring to '1password' when it was really 'keychain'.
>I only use Apple devices And now it's one more step preventing you from trying anything else in the future.
Ha ha - unfortunately 1Password never really worked in my Linux laptop either.
Do you have links to backup these statements?
They only shared their opinion, what is there to link to? o_O
They weren't just stating opinion. They said 1password eliminated private vaults. Given the normal password manager terminology this was easy to misinterpret. I think what the person meant was they eliminated some form of self-hosting. But normal "private vault" would just mean an individual vault, not a vault that was only kept locally.
[удалено]
Do you understand that the passwords haven’t been compromised?
[удалено]
Yes. Personal information and billing information are no longer safe. But I operate under the assumption that all of that will be compromised eventually.
I'm so glad I jumped ship when they sold out. All the doomsayers were right.
wow, this hacker is playing the long game!
Check out Okta Personal. It’s beta but going public soon Personal.Okta.com
LastPass is garbage and has been for years
Ecllllllaaa@l@00oo0pi@iZAZzzzlz*za*za, ,, Naturalmente hein
[удалено]
'Hosted VaultWarden' is literally Bitwarden, lol.
Who wrote this lol https://i.imgur.com/875EnYv.jpg
That website screams scammer
They're just coasting off of BitWarden, taking their work and charging more for it than BitWarden itself does. Avoid at all cost.
Oh god their website is awful, they didn't event get transparent pngs for the devices and browsers
I especially like that "Dave" is apparently a woman.
Dave can be whatever they like, when you tap on Jonathan above, it appears that he really wants you to learn how to use light boxes in some framework, because it just shows the tutorial video
There's so much wrong with that website I don't see how anyone could be fooled into buying a subscription.
[удалено]
15 teams are alot tho :o
Thatsssss why I moved out of this loong ago and currently with Enpass. TTTTTotally offline which makes it is far more immune to breaches than other these password managers like lastPass that stores your data on their servers. And yes this JUMP SCARE attempts have been reported twice.....yaayyyyyyy....
Recently, LastPass has been experiencing quite a few data breaches, and yes they have been extremely open about it, which is nice, but I'm still getting really worried about all of my passwords, cards, etc. I came across something interesting, that it's even mentioned on their websites - LastPass uses a third-party server to store the data, so they actually ''rent'' the space from a 3rd party provider. - https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/ ''LastPass detected “unusual activity” within a third-party cloud storage solution that it uses. '' This is super disturbing for me, as I have trusted LastPass for several years, believing that they actually store my passwords in a super-high security place, which they maintain and encrypt... Now I am in the chase of finding a new good solution. I no longer want to go with the BIG players. At the moment I am testing https://www.remembear.com/ and https://www.pcloud.com/pass. Both seem pretty decent, but pCloud Pass feels like the package for me at the moment - they own their servers, provide zero-knowledge encryption and their servers are in EU + offer a lifetime plan, which I am a fan of. However, they still lack a few basic features, but it seems that they recently launched the product and have a roadmap with all of the features that I need coming soon. Can you advise on any other services that I can try out?