← Back to the blog

July 1, 2026 · 4 min read

Team Passwords: Vaultwarden Instead of a US Datacenter

A shared password store belongs inside the company, not in a cloud you don't know. Why "we have MFA" isn't the finish line — and why rotation is dead.

AA
Anton Anders
IT consultant & developer

Quick answer up front: your team’s credentials belong in a store you control yourself, not in someone else’s cloud whose location you can’t point to on a map. Vaultwarden gives you exactly that — a self-hosted password manager, compatible with the Bitwarden apps, running on a small machine in-house or at an EU provider. And two fond habits can go overboard while you’re at it.

Why self-host at all

Most teams manage passwords one of two ways: as a mess of Excel sheets and chat history, or in a SaaS vault whose provider sits somewhere. The first is a leak waiting to happen. The second just moves the problem — your most sensitive data, the keys to everything else, sits with a third party. It’s the same pattern you know from Microsoft 365 and the GDPR, just with higher stakes.

The LastPass breach showed that big providers fall too: an attacker got at the encrypted vaults of entire customer bases. There’s nothing wrong with using a password manager, quite the opposite. But there’s a difference between the vault sitting at your place and sitting with someone you don’t know.

Vaultwarden is a lightweight, open-source server implementation of Bitwarden. The clients for browser, phone and desktop stay the same, only the vault runs at your place. For a small team, a very modest machine is enough.

”We have MFA” isn’t the finish line

Multi-factor is mandatory, but not every variant is worth the same. A one-time code by SMS can be intercepted, and the constant push confirmations on the phone are annoying until someone taps “approve” out of irritation — which is exactly what attackers count on. And afterwards the employee gets the blame, even though the system set the trap.

The way out is passkeys, or FIDO2: instead of a code you type, a cryptographic key bound to the real destination. A fake login page gets nothing out of it. Vaultwarden supports passkeys, and for the accounts that would really hurt to lose, they’re the more honest choice.

Rotation is dead

The second habit that can go: the forced password change every 90 days. The BSI and NIST have advised against it for years, and for good reason. People forced to invent new passwords build patterns — Summer2025! becomes Autumn2025!. That’s no hurdle for an attacker, but a daily annoyance for users.

The opposite is better: long, unique passwords, a different one per service, changed only when there’s a reason to. That’s exactly what a password manager takes off your hands. It rolls the passwords, remembers them, and nobody has to think up Autumn2025! anymore.

Keeping control without babysitting the server

Staying honest: self-hosting means running it. The server wants updates, backups and someone who feels responsible. That leaves three honest paths — here they are side by side:

Bitwarden CloudVaultwarden self-hostedVaultwarden managed
OperationsThe provider’s jobYour job: updates, backups, monitoringThe service provider’s job, you watch
Data sovereigntyVault sits with the provider, location is their callFull control, vault on your own machineYour own vault in a German datacenter
EffortMinimalNeeds someone who feels permanently responsibleLow, operations are outsourced
Cost characterOngoing per-user subscriptionOwn hardware plus working hoursOngoing flat rate for operations

If you want it simple and don’t have the operations hand, the paid Bitwarden service is sensible. If you want full control and have someone for it, host Vaultwarden yourself. And in between is the path most teams are actually after: have the vault run managed, in a German datacenter.

That’s what cloudsourced is for — Vaultwarden, operated in German datacenters, GDPR-compliant, with updates, backups and monitoring included. You get your own vault on German soil, without having to babysit the server. The control stays with you, the operations don’t.


Want a password vault for the team that’s yours and still runs reliably? Get in touch, or take a look at cloudsourced directly — Vaultwarden from German datacenters, so you look after the passwords and not the server.

Frequently asked questions

What is the difference between Bitwarden and Vaultwarden? +

Bitwarden is the official service, server and apps included. Vaultwarden is a lightweight, open-source server alternative that works with the same Bitwarden apps — the clients stay identical, only the vault runs on your own server.

Is a self-hosted password manager more secure than the cloud? +

It shifts the trust: instead of trusting a third-party provider, you trust your own operations. That's only more secure if updates, backups and access control run reliably — otherwise a serious cloud or managed provider is the more honest choice.

Do passwords need to be changed regularly? +

No. The BSI and NIST advise against forced changes without cause, because they only produce patterns. Better: long, unique passwords per service from the password manager, changed only on concrete suspicion.

What does Vaultwarden need in day-to-day operation? +

A small machine, regular updates, monitored backups and someone who feels responsible. If you don't have that hand in-house, have the vault run managed rather than letting it run unattended.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.