Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
i don't understand why people comfortable with running a vps bother with these cloud services.
i use pass https://www.passwordstore.org/ git sync'd (encrypted) to a $5/month vps that also runs many other things. you could even get a free one from large cloud providers.
pass has lots of clients for all kinds of devices, works really well (how could it not? it's just a thin wrapper around git + gpg) and i don't have to worry about anything like the topic at hand.
what am i missing?
Nobody forces you to use sms for 2fa. I'm not even sure vaultwarden supports SMS. I use https://getaegis.app with usual 2FA TOTP, also protected by password. So for someone to gain access to your vault will need:
* access to your server with bitwarden/vaultwarden (this one is tricky, someone might inject something in webui JS if it's open to public internet, so keeping it VPNed might be good idea indeed)
* access to your master password
* access to your mobile device / totp storage and password for it
I'd say it's pretty safe from random hackers, but if someone is dead set on getting your data, well https://xkcd.com/538/