OK, I see your point. I guess I will consider ditching lastpass for keepass. But that’s what 2FA is for. Password is relatively easy to steal, so for crucial accounts there has to be the second factor.
But if you want to safely use keepass, you need to have the right approach, right? Like, not installing the freshly released version right away? It is open source, which means people can have a look into the source code. But between the release and somebody being able to verify in the thousands of lines of code, if a malicious change hasn’t been made, it will take some time. What’s your approach on this one?
And if you put your encrypted file with passwords on dropbox, is it safe? You can’t have your passwords physically around you at all times, but sometimes you may need to access your account away from home. And if you don’t store your file in the cloud, then you need to take care of backup and synchronisation. One copy on the laptop, another on the pendrive? Then after you change the password, remember to update all backups? Is this the alternative to cloud storage?
And about not trusting a proprietary company: do you run your keepass on an open source OS? Is all the software that you use open source? Do you login to your online banking and broker through an open source browser? If not, what guarantee do you have that Microsoft, Apple, Google, or that torrent app running in the background is not scanning your keyboard input? Don’t get me wrong, I’m not questioning your choices, I’m just getting a bit paranoid and trying to figure out the best approach to online security.