Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I've been using KeePassXC. I use Syncthing to keep the database synchronized between computers.
Same here. If it's TOTP based 2fa, you can keep them in entries and use them from there.
Tbh, if you're using the same DB for PWs, you've successfully downgraded to 1FA now. Except maybe if you use a seperate KeyStick/Yubikey as secret bearer or smth
More like 1.5FA, at least. It still protects against passwords being compromised in any way that doesn't compromise full access to your password database, which is still a lot better than using just passwords without a second factor.
that's like calling strong randomly generated passwords 1.5FA.
with proper MFA, even if you steal my password (database), you won't be able to steal my account, as you're missing the second factor. with classic otp this is just a single use number you enter on the potentially compromised system, but if you get the seed (secret) stolen, valid numbers can be generated continuously.
password managers (should) protect against reuse. MFA protects against logins on untrusted and potentially compromised systems/keyloggers if they're not extracted live. password managers with auto fill and phishing resistant MFA can prevent phising, although the password manager variant is still easily bypassed when the user isn't paying enough attention, as it's not even that uncommon for login domains to change. obviously there are also other risks on compromised devices, like session cookie exfiltration, and there is a lot of bullshit info around from websites, especially the ones harvesting phone numbers while claiming to require it for 2FA just to gaslight users.
I would say it still counts as 2fa just shifting what is verifying you to your password manager and using the site password and 2fa as a way to verify the password manager with the site. If setup right they would have to have the database and your password to decrypt it not just one or the other and for password managers that sync the database it should require your password and 2fa to sync to a new device so it can't just be freely grabbed. If that doesn't count as 2fa then I would like to see an argument about how okta signing you into sites counts as 2fa as it is basically the same thing.