Deleted my LastPass account permanently today.. switched to 1Password.

Until Vaultwarden, I was never comfortable storing passwords anywhere else. Even worse, I used to use variations of the same password, because I am only human and can only remember so much.

Only after Vaultwarden, did I confidently begin storing passwords and used absolutely random characters and absolutely random passwords.

To those saying self hosting BitWarden/Vaultwarden is not a security feature, do you have tips as to improve the security hardening of Vaultwarden?

Things, I could think of
1. Disabling the admin token.
2. Preventing WAN access. (To be done on the router)
3. Setup Reverse proxy with fail2ban.
4. For WAN access, consider something like tailscale.
 
Until Vaultwarden, I was never comfortable storing passwords anywhere else. Even worse, I used to use variations of the same password, because I am only human and can only remember so much.

Only after Vaultwarden, did I confidently begin storing passwords and used absolutely random characters and absolutely random passwords.

To those saying self hosting BitWarden/Vaultwarden is not a security feature, do you have tips as to improve the security hardening of Vaultwarden?

Things, I could think of
1. Disabling the admin token.
2. Preventing WAN access. (To be done on the router)
3. Setup Reverse proxy with fail2ban.
4. For WAN access, consider something like tailscale.
Vaulwarden is awesome.. running it as a docker container

- I am using Cloudflare tunnel for wan access
- Have enabled 2FA for additional security

what do u mean by
Preventing WAN access. (To be done on the router)
 
what do u mean
I meant preventing remote access to the router management page itself. And also stop port forwarding vaultwarden or anything else. Both of these hold water only if your ISP provides dynamic IP instead of CGNAT IP. Sometimes having a CGNAT IP is a blessing. (case in point)

With cloudflare tunnels, is your vaultwarden exposed to the public internet directly? Doesn't that open it to brute force attacks (if you haven't used fail2ban)