The fact that BW is open-source allowing the ability to self-host is a very awesome and unique feature. The fact that Dani Garcia ported the code and allowed you to host vaultwarden on a low-power device like a Pi or a small VPS is even more awesome. The fact that they both made it easy to install and run the service with Docker etc., and that there are a lot of guides on how to set the whole thing up is super awesome. You can play around, learn some things, and get control of your own data. It’s all awesome. But none of that is a security feature.

BW started as a tool for enthusiasts, people who probably can review and compile source code, set up a server, and run services securely – seasoned c/selfhost@lemmy.ml folks. Maybe in their hands, a self-hosted instance of BW can come close to the security provided by the official service. If they are experts in the field, maybe they can make it even more secure. Maybe.

For most people visiting this sub today that is patently untrue!

Most self-hosting posts today are chock-full of comments asking how to register a domain or set up dynamic DNS, or asking what is Docker. Do you honestly think that these people are knowledgeable enough to set up their own BW service securely? Are they knowledgeable enough to evaluate the original team, their product, its source, and its security; to evaluate a completely different team, with a different source; to set up a secure server and host a service without succumbing to all the pitfalls of novice self-hosting; and to do it better than the guys at Azure?

Hell No!

The fact remains that for the greatest majority of people coming here, using the official BW service hosted by Microsoft remains the most secure way to use Bitwarden. That should be the default advice on this sub. To state or imply otherwise is misleading at best and a patent lie at worst. Please stop recommending self-hosting as a security feature. Please stop leading the lemmings off the cliff.