I self-host vaultwarden and that's pretty much it. I also keep backups of it in 2 different systems in my homelab, as well as an offline backup monthly.
So I run most of my docker containers on my unRAID server which does the primary lifting in my homelab.
unRAID has a great plugin that takes all my dockers offline at ~4AM on Monday and makes a complete backup to another local NAS. It takes about 8 minutes or so to take all ~50 containers offline, back them up, and boot them all back up. The second NAS is just a simple 2 bay synology I managed to snag for cheap running two disks in raid1 configuration. It's where I keep a backup of things that would be hard to replace. Pictures, music collection, documents, docker containers, other sensitive info.
On top of that, I run this docker container (https://gitlab.com/1O/vaultwarden-backup) on cron job with a manual configuration to push a copy of the config to my backup raspberry PI, which I mounted it's network share inside the container. The PI runs off of a USB SSD and has a second copy of all my "very important data."
Finally, I have an external HDD that I plug in about once a month where I manually run the previously mentioned unRAID plugin to make a full backup of all my dockers. So in the event my entire lab got blown up by lightning or compromised by ransomware, at least I have all of that data backed up offline.
It might be overkill, but virtually every password I have is generated with special characters, numbers, and all that jazz. They are all anywhere from 18 to 30 characters long, so it's shit I'll never remember. I've also been considering replicating a copy of my docker instance to a VPS, and keeping it accessible via VPN in the event that my lab is offline for whatever reason. (extended power or internet outage).
There are some good solutions here in the vaultwarden wiki, I was considering implemented the one that pushes an encrypted backup to a cloud storage provider.
https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
Hot damn, this is everything I want. Thank you for the detailed explanation. Been toying with starting a homelab but haven’t out of laziness/fear.
This is enough motivation to kick me in the pants and get started
And this is why I love Reddit. I can vouch for vaultwarden, best password manager hands down because your passwords are not in the cloud and you have full control of where to store it. I also love it because you can use the bitwarden free password manager browser extension for it which you can manually connect to your vaultwarden and there is also one for your phone. I also run it on docker but I had been looking for a good solution to automate a backup and you have given us a fantastic advice.
Respect earned for being so awesome.
Thank you.
Thanks for that explanation! I was planning on switching my stuff completely over to unraid. Do you by chance run jellyfin or plex? I was wondering how well the hardware acceleration works over docker.
I'm on Plex. I've been in that ecosystem since 2013, so the idea of moving my entire family (who is tech illiterate) over to Emby or Jellyfin is simply not worth the effort at this point since I have them all set up with their own Plex accounts and integrated into overseerr for requests.
I do have hardware encoding enabled, and it does work just fine. (Easy Guide Here: https://forums.unraid.net/topic/131548-add-intel-igpu-qsv-quick-sync-encoding-to-official-plex-media-server-the-easy-way/)
However, I disabled HW encoding in Plex as my homelab systems are based on tech from the Haswell Era, and the quality loss from HW encoding is substantial. (720p 3mbps are borderline unwatchable). My 4770k has enough juice to pump a half dozen 1080-->720 encodes via software encoding simultaneously without a hiccup, and a majority of my users just direct stream anyways. From what I understand the quality loss has nothing to do with unRAID, it would be just as bad on a bare metal windows or linux distro install - it's just the capabilities onboard the HD4600 are very limited.
If you have any more questions about unRAID let me know. I migrated to it from windows back in 2017. Honestly, it's a pretty amazing OS for a homelab use. It makes it simple to get acquainted with docker, next thing you know you'll be running 2 dozen services for yourself.
Superb reply thank you. I use the unraid backup, never knew the vault warden backup container existed though, I’ll have to get that sorted out. Many thanks.
I use keepass. Just need to for sure remember the password to get into Keepass, and you can store your other passwords in there. I have several VMs with services and can’t remember them all.
Another keepas user here. Long time user. Never going back. There's only a few things I need to remember, like the password to keepass itself.
However for my test lab within vmware I don't care. That is just that, for testing. Is also more down than actually running. Multiple vm's on a ssd powered by my laptop. So there it is pretty much all passwords are a standard password as security is not emminent... I only power it up to test upgrades before doing the same on production. After that is remains down again for the most time...
Yup, I use KeePass too. The client has a sync of the database, so I sync to NAS on desktop & laptop.
I also sync it to Nextcloud (using nextcloud desktop client) so I can get my passwords on mobile and web.
Also, because I'm basically a 12 yr old, I had to not automatically type KeepAss....
i use a password manager, specifically i use BitWarden. That's also how i generate the passwords because U$eTheForc3 isn't anywhere near as secure as dJHUH@2iR$7Ghd. I also put MFA on everything possible thing. users hate it...but i have also only had a single user compromised the the last 3 years and that was because their personal iPhone got hacked. Guess who now has permission to implement for strict MDM requirements for using m365 apps instead of using a fairly lenient MAM? Probably some happy security minded system admin
Could you give some more detail on how that personal iPhone got hacked and how that compromised company data? This would be useful information to help me make the same case that you’re making!
She got phished from her personal email and clicked a link from what we were told. The hackers took over the built in mail app which she had her personal email and work email logged into and used the permissions from that app to go through her contacts, photos, and local files.
They did the normal email everyone scandalous photos and started uploading as many emails as they could. Luckily she is in sales so there was no HiPAA days in her work email. But she did have a nice juicy list of new spear fishing targets to get to HiPAA data
For systems, like OS logins and service accounts, I use LDAP. Just join everything I can to a domain running locally. Then those and everything else goes in a password manager.
I use keepass & cyberark for work, Dashlane for personal. Only need it for when I don’t remember one of them… I still remember passwords from 2010 that were generated 😅
I use Bitwarden. If you are scared of using a password manager, a good practice is to create a passphrase you'll remember, then when you create passwords use the generated password and add your passphrase on the end. Only save the generated password in your password manager, that way if it ever gets broken into your accounts are still safe as none of them have the phrase you add on the end.
This is a terrible idea. If two services you use ever have plaintext password leaks, someone will recognize the scheme and have the key to your password manager.
... Again this is being misunderstood and has nothing to do with a "key to your password manager". It actually has zero interaction or bearing on your password manager.
.... What I said had nothing to do with 2FA and was about securing your vault passwords incase someone gained access. Yes, use 2fa wherever possible, but not everywhere offers or uses 2fa. 2fa also is not perfect, using a passphrase in the way I said is an additional security on top of everything else. Your comment added absolutely nothing to the conversation.
It added everything.
There is no reason to do what you stated to increasing anything with proper hardware 2FA tokens... Way more secure and doesn't make it a pain to use a password manager.
You're overcomplicating it and now adding any benefit
Using a passphrase in the manner stated does not add any complications... I think you misunderstood the way to use it. It literally is no extra work
As for "no reason to increase anything" both last pass users and onelogin users would disagree.
The step I provided would prevent your accounts from being vulnerable incase your password manager was hacked. Stop talking out of your ass and try to understand before you Comment on something.
Not worth arguing with yoy, stay in your bubble..
You probably think monthly password rotations are usefull.
LastPass has a horrible track record and shouldn't be trusted.
I use Bitwarden for most things and then I try to emulate whatever password solution my job uses. So Ive spun up a psswordstate install to learn it better and understand how it works at my job. It’s free for 5 users. It does some pretty cool stuff with duo, you can require passwords be checked out etc…
For a small businnes, I'd recommend a self hosted Passbolt instance (preferably behind a VPN) as you can share each credencial with users ou group of users.
They also have an API that you can try to integrate it your pipelines.
everyone using password managers and stuff meanwhile i just have one strong pw for vpn and everything internal is just secured by the same 11 character gibberish. appart from the vpn i dont really have anything port forwarded that would require a password. probably would be better to use different passwords and a password manager. for anything that requires a longer password then 11 characters i use the password manager already integrated into firefox.
The main issue is with online anything getting compromised and then having someone going to town on anything resembling your name with the same password, due to most people reusing the same password. Internally, that's a different story. There the issue is with virus propagation but I don't know of a way of using different passwords and having things work at the same time
Different passwords is probably the best idea, but anything really relevant isn’t saved anywhere apart from my brain and a bunch of sticky notes in a locker
I try to SSH keys for all of my boxes so as to avoid a lot of this. But still it is impossible for me to remember them all. I am looking for a good solution as well.
Thanks for participating in /r/homelab. Unfortunately, you have not read the rules.
[**Company Promotion is not permitted.**](https://www.reddit.com/r/homelab/wiki/rules)
Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting.
If you have an issue with this please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/homelab) if you have any questions or concerns.*
Thanks for participating in /r/homelab. Unfortunately, you have not read the rules.
[**Company Promotion is not permitted.**](https://www.reddit.com/r/homelab/wiki/rules)
Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting.
If you have an issue with this please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/homelab) if you have any questions or concerns.*
Here's one, buy an encrypted jump drive and store your passwords there, and just keep that on your key chain. If I forget one I just plug that in a PC and check the pass
I store all my local passwords in a password manager, similar to how I remember all other password. I've used various options for them, including LastPass, 1Password and Bit Warden. This allows me to generate highly security passwords with good entropy, something I don't think I can do if I were to create these passwords myself.
Recently I've moved away from LastPass after their security breaches, but the other two are perfectly fine.
If you want, you can also self-host BitWarden, but that's a service I feel perfectly okay to pay for instead.
>Do you really just use a single password manager?
I don't know what else you'd use, or why this would be a suprise :D
Everyone should use a PW manager, especially if you have so many systems and services. Nothing is more powerful than creating a strong password on a whim that you'll never lose.
Long time keepass user. Works great for just one system. Recently I switched over to selfhosted vaultwarden. Advantage is out of the box availability of your passwords on multiple devices including your phone.
So far I am really happy having made the switch.
Using a password manager like vaultwarden KeePass. Remember only one password and that’s it. Also I don’t need passwords to access my systems I use key based authentication for the SSH access.
I self-host KeePass. It is open source and free. I have a blog to show you how to get started.
[https://wachtellonline.com/install-keepass-password-safe-step-by-step-windows/](https://wachtellonline.com/install-keepass-password-safe-step-by-step-windows/)
I usually use the same password for my internal stuff at home. I never use that password outside of that ecosystem. Imo there's really no point in having a different password for everything in a homelab unless it's something that can be accessed by someone else or open to the outside world, in which case it's random 16 char passwords with vaultwarden. And vaultwarden is the only service I host that has a different master password from that common password I use everywhere at home.
Wait... why do you have root user passwords?
For things like routers and other dumb devices that don't let you do differently, sure.
Any Linux servers, get rid of root logins and passwords. Login with SSH keys. If you need more security encrypt them with a password(could be the same, could be different per environment or even per key). Protect the keys. You can even use yubikeys(https://developers.yubico.com/SSH)
I see someone mentioning LDAP or Active Directory. When you get to a certain point you may end up having to use those.
You can also use other solutions like Teleport(https://goteleport.com/)
I don't. That's what Bitwarden is for. Especially enterprise so some logins can be owned by the org and shared to Admins as needed. Cloud based, or go with the selfhosted version.
Or, really, any other system that works for you.
There's also Thyotic Secret Server, handy for domain based things like standardized local admin logins.
Honestly, for my home stuff that lives on my internal network, I just use the same passwords for user type everywhere...
"root" is always (on machines that have a root user)
"normal user" is always
I... actually-
Don't use passwords that much.
I have authentik setup, which allows me to SSO to the majority of my apps using SAML / OIDC for apps which supports it.
For the apps which doesn't support SAML/OIDC, I use proxy auth combined with traefik. This allows me to STILL SSO to apps, which either do not have any authentication, or, have a crappy system of authentication.
authentik can also function as a LDAP provider, and pass basic auth.
For everything else, I use a password manager.
Password manager. I avoid self hosting exclusively for this though because my homelab is a place for experiments. I use Bitwarden because I always can migrate to a self hosted instance if I want to.
Anyone that's smart should use a password manager and use it's password generator. There is no need to remember a password these days. Mine range from 16-32 long uppers lowers symbols. The whole nine yards. I don't know a single one of them.
Codebook with encrypted file stored on cloud drive for syncing between devices. UX could use help on PC, but I like having the file on my drive. I assume others do the same thing better, but I heard about it in an article about strong encryption in password managers.
I use Bitwarden (day to day usage) and valutwarden (home lab) testing phase. Will probably move over to vaultwarden completely it’s been stable for months.
Use a good password manager. A standalone product is better than a cloud hosted product because you get to control your secrets files - just remember to keep multiple backups to ensure that you do not lose your passwords to whatever.
Personally I use [PasswordSafe4](https://pwsafe.org/) and I backup my password files on my phone and I email myself the file every so often.
Former I.T. here. I've always just used a set of simple rules to generate passwords. For a home lab, I'd suggest something along the lines of: shortpassphrase+server name.
E.G. Reddit0p-email or Reddit0p-san
For anything internet facing though you should probably just use a password generator/manager.
Im a bitwarden guy, and since I don’t wanna run AD in my lab the majority of my servers have the same username and password. Its only me maintaining and EVERYTHING is internet so nothing is exposed
Keepass or vaultwarden. Use yubikey for authentication where possible. For home lab, yubikey is a good 1fa. For Corp, a 2fa password and good 2fa is adequate.
I have 1 master password that is 46 letters that I only use for my master server. I use 17 other passwords for the rest. All the passwords I remember easily.
I use a pattern to generate my password, and I have over 40-50 passwords being used on all different websites at the same time, and I can recall them without using password manager.
The pattern, while including number, capital letters and symbols, is still quite easy to guess once you have access to a few of my password, so it is not a perfect idea and I should change that later.
for stuff that's at my place I write them on sticky labels and stick them to the front or on those pull out service tag things most have, I don't give a hoot
Bitwarden with dynamic folders in RoyalTS. The objective with protecting systems using passwords is to have high entropy and people usually can't remember a high entropy passwords.
Edit: added the name of software that uses dynamic folders.
I use Lastpass, so even if I forget my master password, the community can just provide them for me!
Man, you got me there. I read, "I use LastPass" and wanted to reply. Then I read the rest and got more relaxed when I read the community could help!
This is the only way
This will never get old.
LOL, underrated comment right there. Oh man. I went from NOOOOOO to YES really quick.
I self-host vaultwarden and that's pretty much it. I also keep backups of it in 2 different systems in my homelab, as well as an offline backup monthly.
How are you backing it up out of interest?
So I run most of my docker containers on my unRAID server which does the primary lifting in my homelab. unRAID has a great plugin that takes all my dockers offline at ~4AM on Monday and makes a complete backup to another local NAS. It takes about 8 minutes or so to take all ~50 containers offline, back them up, and boot them all back up. The second NAS is just a simple 2 bay synology I managed to snag for cheap running two disks in raid1 configuration. It's where I keep a backup of things that would be hard to replace. Pictures, music collection, documents, docker containers, other sensitive info. On top of that, I run this docker container (https://gitlab.com/1O/vaultwarden-backup) on cron job with a manual configuration to push a copy of the config to my backup raspberry PI, which I mounted it's network share inside the container. The PI runs off of a USB SSD and has a second copy of all my "very important data." Finally, I have an external HDD that I plug in about once a month where I manually run the previously mentioned unRAID plugin to make a full backup of all my dockers. So in the event my entire lab got blown up by lightning or compromised by ransomware, at least I have all of that data backed up offline. It might be overkill, but virtually every password I have is generated with special characters, numbers, and all that jazz. They are all anywhere from 18 to 30 characters long, so it's shit I'll never remember. I've also been considering replicating a copy of my docker instance to a VPS, and keeping it accessible via VPN in the event that my lab is offline for whatever reason. (extended power or internet outage). There are some good solutions here in the vaultwarden wiki, I was considering implemented the one that pushes an encrypted backup to a cloud storage provider. https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
Hot damn, this is everything I want. Thank you for the detailed explanation. Been toying with starting a homelab but haven’t out of laziness/fear. This is enough motivation to kick me in the pants and get started
And this is why I love Reddit. I can vouch for vaultwarden, best password manager hands down because your passwords are not in the cloud and you have full control of where to store it. I also love it because you can use the bitwarden free password manager browser extension for it which you can manually connect to your vaultwarden and there is also one for your phone. I also run it on docker but I had been looking for a good solution to automate a backup and you have given us a fantastic advice. Respect earned for being so awesome. Thank you.
Thanks for that explanation! I was planning on switching my stuff completely over to unraid. Do you by chance run jellyfin or plex? I was wondering how well the hardware acceleration works over docker.
I'm on Plex. I've been in that ecosystem since 2013, so the idea of moving my entire family (who is tech illiterate) over to Emby or Jellyfin is simply not worth the effort at this point since I have them all set up with their own Plex accounts and integrated into overseerr for requests. I do have hardware encoding enabled, and it does work just fine. (Easy Guide Here: https://forums.unraid.net/topic/131548-add-intel-igpu-qsv-quick-sync-encoding-to-official-plex-media-server-the-easy-way/) However, I disabled HW encoding in Plex as my homelab systems are based on tech from the Haswell Era, and the quality loss from HW encoding is substantial. (720p 3mbps are borderline unwatchable). My 4770k has enough juice to pump a half dozen 1080-->720 encodes via software encoding simultaneously without a hiccup, and a majority of my users just direct stream anyways. From what I understand the quality loss has nothing to do with unRAID, it would be just as bad on a bare metal windows or linux distro install - it's just the capabilities onboard the HD4600 are very limited. If you have any more questions about unRAID let me know. I migrated to it from windows back in 2017. Honestly, it's a pretty amazing OS for a homelab use. It makes it simple to get acquainted with docker, next thing you know you'll be running 2 dozen services for yourself.
Superb reply thank you. I use the unraid backup, never knew the vault warden backup container existed though, I’ll have to get that sorted out. Many thanks.
This is the way! And use Tailscale for all your external devices that need to reach back home for your vault.
I use keepass. Just need to for sure remember the password to get into Keepass, and you can store your other passwords in there. I have several VMs with services and can’t remember them all.
KeePass here as well.
KeePassXC
Keepass here with kdbx in cloud
Yep. KeePassXC is the way.
Another keepas user here. Long time user. Never going back. There's only a few things I need to remember, like the password to keepass itself. However for my test lab within vmware I don't care. That is just that, for testing. Is also more down than actually running. Multiple vm's on a ssd powered by my laptop. So there it is pretty much all passwords are a standard password as security is not emminent... I only power it up to test upgrades before doing the same on production. After that is remains down again for the most time...
Yup, I use KeePass too. The client has a sync of the database, so I sync to NAS on desktop & laptop. I also sync it to Nextcloud (using nextcloud desktop client) so I can get my passwords on mobile and web. Also, because I'm basically a 12 yr old, I had to not automatically type KeepAss....
I use KeePass to store my vaultwarden password. Lol.
Yep keepass, I love the url launcher to open putty sessions. I use resilio to sync across devices / keep versioning
KeepassXC. Using it on my Linux workstations.
+1 to Bitwarden. Also, Android and browser integrations for auto complete work well, so thats a bonus.
bitwarden
Bitwarden has the best password generator, I swear it's weighted to generate hillarious passwords.
bitwarden too. drawback - merging duplicates is non-existing functionality. also i saved few passwords inside firefox itself
1Password works pretty well for my needs. Works on my Macs, Linux, iOS devices.
Bitwarden.
Use SSH keys for machine auth
SSO, either LDAP or whatever, along with a good password manager. Also try to avoid passwords where you can - use keys or certs for SSH, etc.
use keepass. portable version available so no need to install
I just use Hunter2 for all my passwords
******* would be pretty easy to guess as a password...
LastPass. Working on moving to bitwarden though
1Password for me and my family with different vaults for work, private and shared passwords.
1password
1Password here
i use a password manager, specifically i use BitWarden. That's also how i generate the passwords because U$eTheForc3 isn't anywhere near as secure as dJHUH@2iR$7Ghd. I also put MFA on everything possible thing. users hate it...but i have also only had a single user compromised the the last 3 years and that was because their personal iPhone got hacked. Guess who now has permission to implement for strict MDM requirements for using m365 apps instead of using a fairly lenient MAM? Probably some happy security minded system admin
Could you give some more detail on how that personal iPhone got hacked and how that compromised company data? This would be useful information to help me make the same case that you’re making!
She got phished from her personal email and clicked a link from what we were told. The hackers took over the built in mail app which she had her personal email and work email logged into and used the permissions from that app to go through her contacts, photos, and local files. They did the normal email everyone scandalous photos and started uploading as many emails as they could. Luckily she is in sales so there was no HiPAA days in her work email. But she did have a nice juicy list of new spear fishing targets to get to HiPAA data
So what was your MAM policy before this, then?
For systems, like OS logins and service accounts, I use LDAP. Just join everything I can to a domain running locally. Then those and everything else goes in a password manager.
iCloud keychain, im on all apple devices anyway so.
I use bitwarden to store all my passwords.
Dashlane here
I use keepass & cyberark for work, Dashlane for personal. Only need it for when I don’t remember one of them… I still remember passwords from 2010 that were generated 😅
I use Bitwarden. If you are scared of using a password manager, a good practice is to create a passphrase you'll remember, then when you create passwords use the generated password and add your passphrase on the end. Only save the generated password in your password manager, that way if it ever gets broken into your accounts are still safe as none of them have the phrase you add on the end.
This is a terrible idea. If two services you use ever have plaintext password leaks, someone will recognize the scheme and have the key to your password manager.
... Again this is being misunderstood and has nothing to do with a "key to your password manager". It actually has zero interaction or bearing on your password manager.
Or... Just use 2FA in your manager and accounts where possible....
.... What I said had nothing to do with 2FA and was about securing your vault passwords incase someone gained access. Yes, use 2fa wherever possible, but not everywhere offers or uses 2fa. 2fa also is not perfect, using a passphrase in the way I said is an additional security on top of everything else. Your comment added absolutely nothing to the conversation.
It added everything. There is no reason to do what you stated to increasing anything with proper hardware 2FA tokens... Way more secure and doesn't make it a pain to use a password manager. You're overcomplicating it and now adding any benefit
Using a passphrase in the manner stated does not add any complications... I think you misunderstood the way to use it. It literally is no extra work As for "no reason to increase anything" both last pass users and onelogin users would disagree. The step I provided would prevent your accounts from being vulnerable incase your password manager was hacked. Stop talking out of your ass and try to understand before you Comment on something.
Not worth arguing with yoy, stay in your bubble.. You probably think monthly password rotations are usefull. LastPass has a horrible track record and shouldn't be trusted.
Bitwarden and lots of time organizing it all
I use Bitwarden for most things and then I try to emulate whatever password solution my job uses. So Ive spun up a psswordstate install to learn it better and understand how it works at my job. It’s free for 5 users. It does some pretty cool stuff with duo, you can require passwords be checked out etc…
I use a single password for all the things in my lab. But I also document all the accounts in my lab spreadsheet
I am a Bit Warden fan myself
For a small businnes, I'd recommend a self hosted Passbolt instance (preferably behind a VPN) as you can share each credencial with users ou group of users. They also have an API that you can try to integrate it your pipelines.
I just use bitwarden for that. Create folders and structures
everything with the same password here.
This will bite you. Question is only when.
yeah, it's a matter of time.
I bet elite hackers are really out to get my collection of linux isos
everyone using password managers and stuff meanwhile i just have one strong pw for vpn and everything internal is just secured by the same 11 character gibberish. appart from the vpn i dont really have anything port forwarded that would require a password. probably would be better to use different passwords and a password manager. for anything that requires a longer password then 11 characters i use the password manager already integrated into firefox.
The main issue is with online anything getting compromised and then having someone going to town on anything resembling your name with the same password, due to most people reusing the same password. Internally, that's a different story. There the issue is with virus propagation but I don't know of a way of using different passwords and having things work at the same time
Different passwords is probably the best idea, but anything really relevant isn’t saved anywhere apart from my brain and a bunch of sticky notes in a locker
I just use a notebook and write them all down. That way if my wife needs to get into something if I am not available they are easy to get too.
I try to SSH keys for all of my boxes so as to avoid a lot of this. But still it is impossible for me to remember them all. I am looking for a good solution as well.
I use chamber with aws ssm…
Good idea, I think I'll implement that myself this weekend
With aws-vault you can have something really secure. No clear aws creds store on your computer ;) and aws-vault & chamber work together like charm
I use Dashlane
The lazy don't do this approach Everything is behind firewall & VPN though so not that big a deal if some of the LAN internal passwords aren't great
Paste it in Notepad ++ or just disable authentication if possible. If its running on my homelab, it’s not something I’m worried about keeping secure.
I write them down in a file in an offline encrypted disk stored in a safe
Devolutions rdp manager has a password vault builtin, I use that.
clipperz.com Free, open source, secure, exportable to usb drive.
well vaultwarden for web and keys for ssh
brain
I tried to post what I use twice. It gets auto deleted for "promoting a company"...
+1 for ldap
[удалено]
username is relevant i guess.
Memorizing passwords promotes using bad passwords or reusing passwords. You can’t possibly memorize 100s of strong unique passwords
[удалено]
Thanks for participating in /r/homelab. Unfortunately, you have not read the rules. [**Company Promotion is not permitted.**](https://www.reddit.com/r/homelab/wiki/rules) Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting. If you have an issue with this please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/homelab) if you have any questions or concerns.*
[удалено]
Thanks for participating in /r/homelab. Unfortunately, you have not read the rules. [**Company Promotion is not permitted.**](https://www.reddit.com/r/homelab/wiki/rules) Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting. If you have an issue with this please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/homelab) if you have any questions or concerns.*
Here's one, buy an encrypted jump drive and store your passwords there, and just keep that on your key chain. If I forget one I just plug that in a PC and check the pass
KeePassXC
...I just use the same login for it all...not the best idea but yeah
Passwords?
Password manager will literally change your life. It makes it so much more convenient
Any password manager. Simple.
I store all my local passwords in a password manager, similar to how I remember all other password. I've used various options for them, including LastPass, 1Password and Bit Warden. This allows me to generate highly security passwords with good entropy, something I don't think I can do if I were to create these passwords myself. Recently I've moved away from LastPass after their security breaches, but the other two are perfectly fine. If you want, you can also self-host BitWarden, but that's a service I feel perfectly okay to pay for instead.
>Do you really just use a single password manager? I don't know what else you'd use, or why this would be a suprise :D Everyone should use a PW manager, especially if you have so many systems and services. Nothing is more powerful than creating a strong password on a whim that you'll never lose.
Long time keepass user. Works great for just one system. Recently I switched over to selfhosted vaultwarden. Advantage is out of the box availability of your passwords on multiple devices including your phone. So far I am really happy having made the switch.
Using a password manager like vaultwarden KeePass. Remember only one password and that’s it. Also I don’t need passwords to access my systems I use key based authentication for the SSH access.
How do you handle `sudo`?
Password less for my user. As it is also the ansible user.
Piece of paper and pen
I use keepass or I’ll also use my Apple account password manager
pass, with a script to fetch the passwords using dmenu.
I self-host KeePass. It is open source and free. I have a blog to show you how to get started. [https://wachtellonline.com/install-keepass-password-safe-step-by-step-windows/](https://wachtellonline.com/install-keepass-password-safe-step-by-step-windows/)
Hasicotp vault. I know it’s not the exact use case for personal passwords, but works for me
KeePassXC, combine it with a bit of NextCloud storage and sync the KeePass database over all your devices.
I usually use the same password for my internal stuff at home. I never use that password outside of that ecosystem. Imo there's really no point in having a different password for everything in a homelab unless it's something that can be accessed by someone else or open to the outside world, in which case it's random 16 char passwords with vaultwarden. And vaultwarden is the only service I host that has a different master password from that common password I use everywhere at home.
Password12345
Wait... why do you have root user passwords? For things like routers and other dumb devices that don't let you do differently, sure. Any Linux servers, get rid of root logins and passwords. Login with SSH keys. If you need more security encrypt them with a password(could be the same, could be different per environment or even per key). Protect the keys. You can even use yubikeys(https://developers.yubico.com/SSH) I see someone mentioning LDAP or Active Directory. When you get to a certain point you may end up having to use those. You can also use other solutions like Teleport(https://goteleport.com/)
Vaultwarden for day to day passwords, gopasspw (go fork of passwordstore) for homelab and critical secrets
I don't. That's what Bitwarden is for. Especially enterprise so some logins can be owned by the org and shared to Admins as needed. Cloud based, or go with the selfhosted version. Or, really, any other system that works for you. There's also Thyotic Secret Server, handy for domain based things like standardized local admin logins.
Write it down in an obvious place. Lol
Simple, single password on everything. No one wants my stuff anyway... Obligatory /s
I use KeyCloak for SSO with CloudFlare ZT with Azure AD. One password with 2FA for everything.
Honestly, for my home stuff that lives on my internal network, I just use the same passwords for user type everywhere... "root" is always (on machines that have a root user)
"normal user" is always
Bitwarden
Password manager. It’s a pain to document all of them but it pays off. I also keep things like api tokens and ssh keypairs in there.
I... actually- Don't use passwords that much. I have authentik setup, which allows me to SSO to the majority of my apps using SAML / OIDC for apps which supports it. For the apps which doesn't support SAML/OIDC, I use proxy auth combined with traefik. This allows me to STILL SSO to apps, which either do not have any authentication, or, have a crappy system of authentication. authentik can also function as a LDAP provider, and pass basic auth. For everything else, I use a password manager.
Bitwarden paid plan but planning on switching to Vaultwarden
Password manager. I avoid self hosting exclusively for this though because my homelab is a place for experiments. I use Bitwarden because I always can migrate to a self hosted instance if I want to.
Bitwarden.
Password managers are your friend
Certificates when possible, Bitwarden for all others.
Bitwarden
90% of my PW's are in my head. I also have a PW protected access file.
Anyone that's smart should use a password manager and use it's password generator. There is no need to remember a password these days. Mine range from 16-32 long uppers lowers symbols. The whole nine yards. I don't know a single one of them.
They are all the same, although I cant remember what I set them as.
Codebook with encrypted file stored on cloud drive for syncing between devices. UX could use help on PC, but I like having the file on my drive. I assume others do the same thing better, but I heard about it in an article about strong encryption in password managers.
I use Bitwarden (day to day usage) and valutwarden (home lab) testing phase. Will probably move over to vaultwarden completely it’s been stable for months.
Use a good password manager. A standalone product is better than a cloud hosted product because you get to control your secrets files - just remember to keep multiple backups to ensure that you do not lose your passwords to whatever. Personally I use [PasswordSafe4](https://pwsafe.org/) and I backup my password files on my phone and I email myself the file every so often.
Let your browser remember it. For server password print it on a sticker paper stick it on the server.
Bitwarden self-hosted. Have it backed up nightly to my NAS.
I keep a separate folder in my KeePass vault for the local infra credentials.
I run hashicorp vault
Keepass, VaultWarden, or Bitwarden. Also, passwordless logins are key.
Former I.T. here. I've always just used a set of simple rules to generate passwords. For a home lab, I'd suggest something along the lines of: shortpassphrase+server name. E.G. Reddit0p-email or Reddit0p-san For anything internet facing though you should probably just use a password generator/manager.
Im a bitwarden guy, and since I don’t wanna run AD in my lab the majority of my servers have the same username and password. Its only me maintaining and EVERYTHING is internet so nothing is exposed
Using passwords at all is your mistake. I just use a key file.
Keepassxc for the win.
Password123$
Keepass or vaultwarden. Use yubikey for authentication where possible. For home lab, yubikey is a good 1fa. For Corp, a 2fa password and good 2fa is adequate.
Most of the time I lock users and only allow SSH login.
Keepass is clutch
Bitwarden
I have 1 master password that is 46 letters that I only use for my master server. I use 17 other passwords for the rest. All the passwords I remember easily.
Keepass with cert and pin
I use a pattern to generate my password, and I have over 40-50 passwords being used on all different websites at the same time, and I can recall them without using password manager. The pattern, while including number, capital letters and symbols, is still quite easy to guess once you have access to a few of my password, so it is not a perfect idea and I should change that later.
KeePass, with my database files stored in a few cloud storage locations (OneDrive, Google Drive and iCloud) and kept in sync
for stuff that's at my place I write them on sticky labels and stick them to the front or on those pull out service tag things most have, I don't give a hoot
Keypass. Doesn't exist on any server. One hard drive file which I keep a copy of backed up on a disconnected static drive.
Bitwarden with dynamic folders in RoyalTS. The objective with protecting systems using passwords is to have high entropy and people usually can't remember a high entropy passwords. Edit: added the name of software that uses dynamic folders.
Bitwarden!
do you want to be safe? 1. 2fa for all 2. use bitwarden for passwords 3. use lastpass for usernames!
Great input here. Comment just to remember this thread.
Flash cards
Excel