No possibility for a MITM attack (except, I suppose, with a keylogger, but then you've got bigger problems), and absolutely NOTHING outside of encryption, whereas whoever has this leak now knows what users have accounts on what websites, which is a veritable treasure trove.
That plus security through obscurity: no one is presuming you're going to come out of a Dropbox hack with millions of password vaults. Even finding them would be... nightmarish. (Though I suppose you could somehow hack a Dropbox file index database?) The value of a target like LastPass is absolutely insanely high: it's a concentrated honeypot of encrypted vaults.
Plus, the Android app makes using a Dropbox synced folder location fairly trivial, so that works pretty well. And you can set your own number of password rotations, which, while annoying when it takes my phone 5-10 seconds to unlock, realllllllly helps ensure no one else is going to crack this vault if they ever got it.
> No possibility for a MITM attack ... and absolutely NOTHING outside of encryption
LastPass is a disaster, but in theory these benefits are true of Bitwarden as well. They say they encrypt the entire vault, no exceptions, and do the encryption entirely on device.
I can see the honeypot argument, but Dropbox is also a big honeypot for different reasons (tons and tons of plain text information that could be very valuable in the right hands). And I don't think finding the vaults would be as hard as you think it would, because searching for encrypted files should be relatively easy, and any encrypted file is probably worth attempting to crack.
I'm not trying to argue for cloud password managers, I'm totally open to being persuaded and would immediately switch if I were, but I'm really failing to see where the added security is versus Bitwarden. Bitwarden is open source just like KeePassX, so if it did not implement the security model that claims to I think someone would have blown a whistle by now.
That plus security through obscurity: no one is presuming you're going to come out of a Dropbox hack with millions of password vaults. Even finding them would be... nightmarish. (Though I suppose you could somehow hack a Dropbox file index database?) The value of a target like LastPass is absolutely insanely high: it's a concentrated honeypot of encrypted vaults.
Plus, the Android app makes using a Dropbox synced folder location fairly trivial, so that works pretty well. And you can set your own number of password rotations, which, while annoying when it takes my phone 5-10 seconds to unlock, realllllllly helps ensure no one else is going to crack this vault if they ever got it.