Paid $150 for a password manager that still got hit in a breach

I signed up for one of those big password manager services back in March and paid for a full year upfront, then their database got compromised last month. Has anyone found a self-hosted option that actually holds up better than these cloud ones?

2 comments

2 Comments

robinson.holly1mo ago

My own setup is probably held together with duct tape and good intentions at this point, so I feel you. I tried self-hosting a password manager once and locked myself out for three days because I forgot my own master password and the backup key was on a sticky note I couldn't read anymore. Now I just use a notebook hidden in my sock drawer and hope nobody looks there. At least with a notebook, the only zero-day vulnerability is my roommate borrowing it to write a grocery list.

james921mo ago

Wait, hold up. I'm gonna play devil's advocate here for a second. Self-hosting a password manager just means you're the one who gets to deal with the headaches if something goes wrong. You think a small team or even just you patching a Vaultwarden instance is going to catch a zero-day faster than a company like Bitwarden or 1Password with a whole security team? Those big services have dedicated people hunting for bugs and fixing them within hours. You're trading their breach for your own potential misconfiguration where you accidentally leave port 80 open or forget to update for six months. I'd rather trust a group of paid experts than my own Saturday afternoon setup, but maybe that's just me. Have you looked into what actually happened with that specific breach - was it their master password hashing or something else?