The database is encrypted when at rest; i.e., no plaintext is stored on Dropbox. Assuming your master password is decent, you could plaster the database on a billboard and it would be safe. LastPass, on the other hand, encrypts some information (the actual passwords). The URLs and other sensitive information is stored in plaintext in the cloud. [Final edit. I swear.] As you note, as long as the entire blob is encrypted it doesn't really matter how it's replicated; BitWarden's one-stop-shopping can certainly be more convienent.
But that is the same claim that Bitwarden and 1Password make. Both insist that they don't ever see your master password, which means that your vault security depends entirely on it being good enough. And both encrypt everything.
Assuming that I trust Bitwarden not to lie about their security model, what do I gain by piecing together multiple tools to accomplish the same thing?
(Sorry, I turned around and made an edit, but not before you replied.) KeePass encrypts the entire database, all fields, as one giant blob. LastPass stores URLs and other fields as plaintext; these too can contain critically sensitive information. [Edit: (See I flagged it)] As far as know it wasn't LastPass's client that was compromised--it was their servers/data store.
Their software does see your master password. It may process it locally, it may not. If it's run in web client inside browser, that may change at any second. This may happen due to attack, their mistake, their dependency vulnerability or plain lie on their part. Fundamentally you need to trust them.
In case of keepass and independent sync(doesn't have to be Dropbox), software that sees master password doesn't need access to the internet. Can be even airgapped if you are extra paranoid.
So to sum it up: keepass + sync is better, because there's no single party that is even able to screw up you to the point of leaking your passwords. "Impossible to fail" is better than "they are doing their best, pinkie promise".
Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.
> Their software does see your master password. It may process it locally, it may not. If it's run in web client inside browser, that may change at any second. This may happen due to attack, their mistake, their dependency vulnerability or plain lie on their part. Fundamentally you need to trust them.
All of this applies to KeePass, minus the browser extension bit (which is trivial to avoid by not using the browser extension). The only difference is that you can theoretically firewall KeePass from the network, which I'll grant you would make a difference, but the fact that you reserve that for the extra paranoid suggests most don't do that.
> because there's no single party that is even able to screw up you to the point of leaking your passwords
Again, only true if you block network access. If not, you have as many points of failure as with Bitwarden, because only the client needs to be compromised to get both vault and password.
> Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.
Bitwarden free is plenty for me right now, so this doesn't play into my calculus.
Personally, I'm not interested in making the switch if I'll have to fiddle with firewalls on all my devices in order for it to be more secure for my current solution. It's not that this conversation is made me think less of KeyPass, it's that I'm yet to see a convincing argument that Bitwarden is worse than what I would end up with in practice by switching.
Still - cloud password managers are built to upload your data to the network and it's much easier to smuggle something, when keepass apart from maybe update check doesn't have any network activity. Someone would spot it pretty fast and that would be instant death for the project. On cloud solutions it may take years to be found, as demonstrated here: https://arstechnica.com/information-technology/2022/06/mega-...
That being said - bitwarden is pretty transparent in what they do, compared to the competition and I'm seriously considering giving it a try (but with self hosted backend).
