Like I said, I have a permanently-offline android device where all my more sensitive passwords are stored. It has no data connection after initial setup - there’s no sim, it doesn’t remember my wifi password, it’s even permanently in airplane mode, saves battery too. I transfer data to/from it via its SD card when I rarely have to do it, for backups mainly. So I don’t have to worry much about malicious software in it - it has nowhere to leak my data to. It just works, doesn’t need updates, it’ll last until the hardware dies. I also run all various authenticator apps on it (google authenticator, symantic, IB, crontosign, etc) - because they don’t need internet either and it’s an android phone, it can run them. Needless to say, the device itself is encrypted too.
On my phone and desktop I keep separate keepass databases for less sensitive stuff which I manually sync. I could put it on dropbox or something, but really syncing is not much work since I don’t create new password every day
Dropbox might get compromised, but your password database on it is still encrypted, so that’s not enough to gain access to it - the attacker would also need to get ahold of your password to it. With 2-in-1 solutions like lastpass just the lastpass itself needs to get compromised, make a maliciuous code change, push it to users or something like that and you’re owned.
I carry my android security token all the time
Hardly really remember the last time I had to change a password. When you have a unique password per website it’s not such a big concern to change them regularly. Keepass database however has a field with modification time so it can merge the changes properly on a sync, and it can also keep a history of previous passwords.
Android obviously is not exactly open source, there’s enough proprietory patent covered shit in it, even though most parts are open source, but on desktop yes run all open source. Closed source and random downloads strictly in a virtual machine.