I tried to stick with KeePass.x for the longest time, but keeping the keepass databases in sync across multiple platforms/devices, while possible, was very much a pain and quite a clunky/messy process which always required me to remember to do something after updating the database anywhere. I eventually gave up and migrated to Lastpass which "Just Works™" on all my devices.
Keep it in Dropbox, then it's on all your devices.
I keep my KeePass database in my Dropbox, behind 2FA, with the main Dropbox password being a random string stored within the KeePass database. I have KeePass itself stored on my Dropbox as well, so I don't even need to install it to other Windows PCs, simply run the program. And the KeePass2Android app works quite well with this configuration.
I do the same and find it easy to use. I also store a key file in a different cloud service so that both would need to be compromised along with the password to access the database.
I do the same, but it is a hassle. I constantly get warnings in KeePass that the database file has changed and have to click 'Yes' so it merges the changes. It's always worked so far, but I guess if I click the wrong button I will loose an entry.
Sometimes I get conflict files in the Dropbox folder. Not often, but a few times over the last year.
On iOS I have to open Dropbox and re-export the database file to see new entries. If I ever want to add or change an entry on mobile I have to manually export the file back into Dropbox. If the database in the app wasn't up-to-date, that will loose any entries added on desktop.
The KeeFox extension for Firefox works but is unreliable, especially on Linux.
I transfer the database, keyfile, and exe files to the new target, then login. Or I might just hand-type the random-string, viewed from my phone, because I am a hardcore operations administrator. In the event of a catastrophic loss of access, I retain backup codes physically recorded in a safe location. And the keyfile, database, & exe are currently in 3 separate devices of mine.
All 3 PCs are in one location, as I only have one living location and rent no colo or VMs. But I'm not worried about having some sort of Dropbox access issue at the same time as a physical incident at my residence, as the probability is (I think) still lower than my very low risk avoidance.
Also not the GP, I do the same thing. In my case I need access to one of my devices with Dropbox configured (my laptop or my phone are most likely, my server syncs too)
Dropbox stores the files locally (on the phone, the kdbx file is marked to be cached and updated offline and I use dropsync)
If someone deletes my kdbx file from my Dropbox account, and I don't realize this in time (before all my devices sync _and_ my backups run out, so very small chance given the nature of the file) I'm in a lot of trouble...
Not the GP, but the password manager's database is likely setup as a Dropbox app. So when you login to your password manager, it retrieves the latest copy of the database. I do this with KeeWeb (cross platform PW manager compatible with KeePass database, although KeePass is better on Windows because of autotype).
I think KeepassXC includes the "auto-reload" patch, which causes the database to be automatically reloaded whenever the file changes; if you also enable auto-save this allows for fully automatic synchronization if you to store your encrypted database file in Dropbox or similar.
Holy shit, this has actually been such a problem for me in the past. To the point where I actually had "read-only" copies of the db to avoid any corruption or password loss.
I also like how LastPass can be administered by company / team admins, has 2FA, allows you to share passwords (or groups of passwords) with people (or teams of people), has some built in tools to help automate password updates, and can give you a quick at a glance audit of which passwords are old / insecure / are used more than once / are used for services that have been reported hacked and should be changed.
But... HackerNews hates LastPass for some reason... still haven't quite figured out why. (= It's a great service.
To say something cliche... aren't you letting perfect be the enemy of good? =P
Most teams (you'll agree?) have horrible aggregate password management. With every person storing passwords their own way... and only a few people actually having good passwords... isn't security at the organization level really crappy? Here's a real world example... you can have all the security you want on your servers... but if someone in legal still has access to the "Passowrd123" for the AWS account... isn't the team at a disadvantage? Another cliche warning: I need to care about forests, not trees.
At least with LastPass (or whatever other system you can think of that's similar) you can setup "pretty good" team-based policies... share passwords with people who need access (and often not even expose the actual password just access to it so you don't have to change everything in the event of turnover)... set up dead man switches on key accounts (for the hit by the bus scenario we all talk about)...
I know that LastPass has made my life significantly easier since adding it to a number of companies I consult for. I don't know of any security issues first-hand, and I've been using their service for 7 years (personally, and 5 years with teams). I like all the self-hosted options I keep reading about -- glad people are taking security more seriously... but at the end of the day if it's not a comprehensive team-based solution, it's just not something I want to put any stock in. If I can't administer it across a team, if it's just another "personal use only" type option... I don't find any value to it in the workplace.
One difference is that Dropbox isn't the only option: there's Google Drive, Amazon Drive, OneDrive, Box, OwnCloud, Syncthing, Resilio Sync, SFTP, and many other "plain dumb file sync" tools to choose from. That certainly increases the security footprint some. You might know I synchronize a KeePass file with a cloud provider, but you might not know which cloud provider, and while the chances of any one particular cloud provider being hacked are somewhat large it seems, the chances of all of them being hacked enough at the same time that you find the KeePass file needle in my particular cloud footprint haystack is hopefully pretty rare. It's also something that if you get wind of an attempt in progress you can mitigate/defend by switching sync services or removing it from sync altogether until the attempt ends...
Because it's "dumb file sync" with a number of options, there are also some really interesting options with interesting security footprint trade-offs of their own. Resilio Sync, for instance, originally known as "BitTorrent Sync", supports peer-to-peer sync and more interestingly supports "encrypted peers" where you can have a cloud provider participate that "knows nothing" about what is inside the synced folder but can still share/sync it with your devices that do.
Similarly, if someone develops something crazy like a killer secure and somehow user friendly IPFS sync option tomorrow, you could switch immediately.
Not that similar. The reward-to-effort ratio for attacking LastPass is much better, you'll gain access to the passwords of so many users. With Dropbox, its less likely that you'll find something valuable and therefore less worthwhile to try. Most users would store their vacation photos, perhaps income tax info which might be useful but not as instantly exploitable as passwords.
Plus the password database is likely encrypted with a decently long master password and encrypted with AES (assuming this if the user has gone to the trouble of using a PW manager with Dropbox sync, hopefully with Dropbox 2FA also). That should be enough to keep out virtually all hackers, barring perhaps a nation state. For an extra level of security, you can (with KeePass at least) require a master password and key file (perhaps stored offline on a USB key), which will likely keep out virtually anyone.
Not really. If dropbox is compromised and they get your .kdbx file they've still got to be able to break that (unless you use the same password for dropbox and your kdbx file....which is not a good idea).
You don't have to keep all of your credentials in LastPass. For example, I don't store any email credentials or important accounts such as Google or Microsoft. Everything else (like HN) is negligible if LastPass gets owned.
Depending on the use case. If you're working in a company and need to share something with a co-worker (like credentials for some web service), team-based solutions are the safest solution.
I use Syncthing on a central server that automatically pushes changes that I make to KeePass to every other device that is connected to the server. It's been amazingly useful.
