Bitwarden
Nick Peers reveals how to take your password management to the next level with the option of a self-hosted server.
Nick Peers reveals how to take your password management to the next level with the option of a self-hosted server and sensible password policies.
It goes without saying that relying on the same old passwords to secure your online accounts is not good practice. A quick trip to https:// haveibeenpwned.com should reveal that one or more of them has been exposed in the past 20 years or so.
The solution is simple, yet complicated. It’s simple because you just need to generate long, random passwords comprising letters, numbers and symbols to make them hard to guess or crack through brute force, but complicated because it’s hard to remember them all.
The solution lies in employing the services of a password manager. This helps you to generate those random passwords, then stores them securely in an encrypted file (or vault) that’s locked behind a ‘master password’ – the only password you’ll have to remember going forward. This should be lengthy but memorable (to you), and can be further protected using secondary layers such as 2FA.
Password managers come in all shapes and sizes, but to be truly effective they need to be cross-platform, work in any browser and simplify the act of entering passwords through autofill and paste features. Plenty of proprietary solutions offer these, but few are open source, which raises questions about transparency.
Cross-platform means apps for all major platforms: Linux, Windows, Mac, Android, Apple and web browsers
(Chrome and Firefox, but preferably more). Your vault is kept synced between your devices via the cloud. The cloud might mean storing your vault on one of your cloud services, or relying on the password manager’s own proprietary server. If you’re lucky, you’ll even get the option of setting up your own self-hosted server. Using the cloud throws up security considerations of its own, so the vault needs to be encrypted using keys that aren’t accessible to your password manager.
We’ve narrowed our choice of recommended password managers to three. The first option is the least flexible but is a good choice if you’re already using
Keepass to store sensitive information on your PC. That option is Keepassxc (https://keepassxc.org). It’s optimised for multi-platform use but has no built-in support for cloud providers (you’ll need to set this up).
Our second option is simpler to set up and implement – check out the boxout (opposite page) for more on Buttercup. It’s currently quite early in its
development, and this combined with its small development team means there are still teething problems to iron out.
One password manager to rule them all
Ultimately, however, neither Keepassxc nor Buttercup can hold a candle to our main recommendation. If you’re currently using one of the well-known password managers like Lastpass, then you’ll want something capable of going toe to toe with it. The open-source alternative we recommend is Bitwarden (https:// bitwarden.com), which has been our password manager of choice for several years. It has pretty much all the functionality found in commercial offerings like Lastpass and 1Password, but it’s open source and all core functionality is free (although we recommend the $10/year Premium tier to support the project).
Like these proprietary solutions, Bitwarden stores your passwords on its own cloud servers by default. All data is encrypted both in transit and at rest, and your all-important encryption keys remain in your possession, out of Bitwarden’s reach. You may, however, be put off by the fact its servers are hosted in the US, while its growing popularity may see it become an increasingly tempting target for hackers.
But no matter, because Bitwarden has a not-sohidden secret: you can run your own Bitwarden server to keep tight control over your passwords. The fullblown version offered on the main website is fiddly and more suited to organisations, but there’s a lightweight alternative that’s perfect for individuals or small groups – Bitwarden_rs (‘rs’ refers to the fact it was built using Rust, a lightweight and efficient programming language).
If you’re happy trusting Bitwarden with your data, type https://vault.bitwarden.com into your browser and skip to the next section; if you want to host your own Bitwarden server, then read on.
Self-hosting Bitwarden servers
The easy bit is installing the Bitwarden_rs server itself – the PC you plan to host it on will need to be running Docker and have its own static IP address. Once you’ve met those criteria, setting it up is as simple as issuing the following two commands in the Terminal:
$ sudo docker pull bitwardenrs/server:latest
$ sudo docker run -d --name bitwarden -v /bw-data/:/ data/ -p 4000:80 bitwardenrs/server:latest
If everything is configured correctly, you have an unsecured instance of Bitwarden you can log onto via
Firefox (but not Chrome in its current state) – just type http://192.168.x.y:4000 (change 192.168.x.y with your server’s IP address) and you’ll see the same Bitwarden login screen as found at https://vault.bitwarden.com.
As things stand your server is neither secure nor accessible from outside your local network. To rectify this – which will also enable you to access it in Chrome and any of the Bitwarden apps – you’ll need to perform several additional steps.
Firstly, you need a domain name pointing towards your home network’s public IP address – if you have a domain, why not set up a dedicated subdomain (say bw.domain.com) for the task? Failing that, sign up for a free dynamic hostname (try www.noip.com).
Secondly, you’ll need to set up a reverse proxy on its own virtual or physical server with a separate IP address to secure your connection. Finally, you’ll need to log on to your router and instruct it to forward ports 80 and 443 to your reverse proxy.
The simplest reverse proxy implementation we’ve found is another Docker image: Linuxserver Letsencrypt. You can run this on a regular Linux server following the instructions (see http://bit.ly/ lxf260letsencrypt for a complete guide), but we set up ours on our QNAP NAS using Container Station – see the boxout (page 59) for full instructions.
When setting up your reverse proxy you’ll need to define your own path to the config folder using the -v flag – for example, /home/appdata/proxy/. Once your reverse proxy is up and running, this folder will contain all your configuration – navigate here and open the
nginx folder inside to reveal two more sub-folders. First, open site-confs and type sudo nano default to add the following line to the default configuration file. Place it somewhere within the main server {} block:
add_header X-robots-tag “noindex, nofollow, nosnippet, noarchive”;
Save and exit. This prevents Google from indexing your server and making it visible to search engines.
Next, navigate back one level and then open the
proxy-conf folder, inside which you’ll find dozens of configuration files covering a wide range of different services, including Bitwarden. To edit the file, type:
sudo nano bitwarden.subdomain.conf.sample
Make sure server_name points to your subdomain (such as bw.*) or dynamic hostname, while $upstream_
bitwarden should point to your Bitwarden server’s IP address. Finally, alter the proxy_pass port number from 80 to 4000. Once done, save the file as bitwarden. subdomain.conf into the same folder, then restart your Letsencrypt container:
$ sudo docker restart letsencrypt
Once it’s up and running again, configure your router to forward ports 80 and 443 to the reverse proxy’s IP address. Now open your browser and type in your chosen subdomain or dynamic hostname, such as bw.domain.com – no port number required. If everything is working correctly, you should find that the connection is automatically redirected to a secure https:// one – click the padlock and verify that your browser is happy the connection is secure. Your selfhosted Bitwarden server is now up and running.
Whether you’ve set up your own server or are going with Bitwarden’s own cloud servers via, the steps from here on are virtually identical. Start by clicking Create Account to set up your account. Enter your email address, name and supply a strong master password
(see the Quick Tip on the next page). This is the most important password of all, and if you forget it your passwords will be lost forever. With this in mind, you may want to provide a master password hint, which can be emailed to you if needed.
Once you’ve clicked Submit, your account will be created and you’ll find yourself at the main vault screen. If you’re running a self-hosted server and you plan to be the only user, you can strengthen security by disabling the registration of new users:
$ docker stop bitwarden
$ docker run -d --name bitwarden \ -e SIGNUPS_ALLOWED=FALSE \ -e INVITATIONS_ALLOWED=FALSE \
-v /bw-data/:/data/ \
-p 4000:80 \ bitwardenrs/server:latest
The browser-based web vault won’t be used much in day-to-day use, but you will still need to log in to perform certain functions. One of those is strengthening security – navigate to Settings > Two-step login’ Start
by choosing your form of secondary verification – typically an authenticator app. Use this option in conjunction with Authy or a similar 2FA app to generate the codes you’ll need to enter in addition to your password. When set up, click View Recovery Code to write this down and store it somewhere secure.
Install the apps
Log out of your web vault and visit https://bitwarden. com to download the desktop and mobile apps or install the browser plugins. If you’re primarily using Bitwarden to securely store online passwords, you can get by with the browser plugins and mobile apps.
After installing, click the Bitwarden icon in your browser toolbar or open the mobile app to log in. Those with self-hosted servers should first click the settings button and enter your server’s URL (such as https:// bw.domain.com – don’t forget the https this time) before clicking Save. Click Log In, enter your username and password and off you go. The step-by-step guide reveals how to use Bitwarden to manage and generate strong passwords in your web browser.
The mobile app works in a similar way to the browser add-on but comes into its own when linked to your mobile OS’S password auto-fill feature – in Android Oreo or later, for example, search for Autofill under Settings and tap Autofill Service. Bitwarden should be in this list, so tap it. Going forward, whenever prompted to enter login details in apps or browsers, you should see an option to automatically input the relevant password from your Bitwarden vault.
You can also install a standalone Bitwarden app on your PC – this is a portable Appimage package for Linux users, so after downloading be sure to right-click it and choose Properties > Permissions, and tick Allow Executing File As Program before running it. The app sports a similar user interface to the web-based vault, but it isn’t a substitute for the browser plugin – while you can right-click a login and choose Launch to jump to that page in your web browser, it can’t autofill your login details. Its main use is for managing your existing logins.
As your collection of passwords increases, you may find your vault begins to look a bit messy. It’s not a problem – the search box makes zeroing in on a specific login easy enough, but Bitwarden offers you the option of organising passwords into folders to make browsing your collection easier – the annotation (see page 56) reveals what options are available.
You’ll see a Types category in the left-hand pane, which reveals that Bitwarden can also be used for storing credit card information and personal contact details, for quick-fire form and payment-field filling on websites. These work in the same way as your logins but are obviously optimised for the information they contain – the Cards option provides fields for card numbers, expiry dates, security codes and so on. There’s also a generic Secure Note option, which lets you store all kinds of sensitive information like offline passwords, product keys and so on.
Whichever option you use, don’t feel constrained by the fields offered – scroll down to the bottom and you can add custom fields. These can be plain or hidden (like passwords) text or Boolean (a checkbox allowing you to set a yes/no field). Logins also enable you to set multiple URIS, which are web addresses the username/ password combination will be recognised on.
One final feature worth noting is Organisations – set these up via the web-based vault under Settings > Organisations. This enables you to share logins and other information with others via collections, which are shared folders. Free users can share with one other user only, with a limit of two collections. A Families paid-for tier – $1 a month – raises this to unlimited collections with five users. If you’re running Bitwarden on your own server, there are no limits – you can have as many organisations and collections as you wish.