Risk/reward
I need to reliably secure my stuff across different locations and devices - my home PC, my home laptop, my phone, my work PC (where I can install a Chrome extension but not a Windows executable), etc.
Doing that safely and reliably with a homebrew solution is going to end in tears - either I'll end up with a binary blob I can't decrypt, or I'm going to end up spamming my master password somewhere it shouldn't go, or something else similarly inconvenient/catastrophic (delete as applicable) that I haven't foreseen.
Local solutions are are local, and that's their strength and their dealbreaking (for me) weakness.
(KeePass has had its problems.)
Yeah, LastPass got busted. I now still trust them (a bit :)) because they have had to respond to that. Do you trust a lock made by a locksmith who's had to learn from their mistakes, or a lock made by a locksmith whose handiwork is untested (whether by luck or judgement)?
Regarding the LastPass fuckup:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
1. It was a bad bug.
2. It was fixed in one day.
3. All (security) software has bugs. What matters is how the provider responds.
It is naïve to think that an open source solution will be any better. Security is a hard problem that, it seems, the open source approach doesn't help when it comes to real-world implementation. After all, OpenSSL was open source for a long, long time before anyone noticed that it was a complete bag of security bollocks. Stagefright is open source, and that was/is also a bag of security shit.
But all this aside - even a bad (and realistically, they're all at least passable) password manager is better than no password manager.
ETA: Holy crap, the KeePass website is fucking horrible to look at and use. It's like taking a trip back in time to 1998, and not in the good "hey man, let's surf the information superhighway!" way.
Doing that safely and reliably with a homebrew solution is going to end in tears - either I'll end up with a binary blob I can't decrypt, or I'm going to end up spamming my master password somewhere it shouldn't go, or something else similarly inconvenient/catastrophic (delete as applicable) that I haven't foreseen.
Local solutions are are local, and that's their strength and their dealbreaking (for me) weakness.
(KeePass has had its problems.)
Yeah, LastPass got busted. I now still trust them (a bit :)) because they have had to respond to that. Do you trust a lock made by a locksmith who's had to learn from their mistakes, or a lock made by a locksmith whose handiwork is untested (whether by luck or judgement)?
Regarding the LastPass fuckup:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
1. It was a bad bug.
2. It was fixed in one day.
3. All (security) software has bugs. What matters is how the provider responds.
It is naïve to think that an open source solution will be any better. Security is a hard problem that, it seems, the open source approach doesn't help when it comes to real-world implementation. After all, OpenSSL was open source for a long, long time before anyone noticed that it was a complete bag of security bollocks. Stagefright is open source, and that was/is also a bag of security shit.
But all this aside - even a bad (and realistically, they're all at least passable) password manager is better than no password manager.
ETA: Holy crap, the KeePass website is fucking horrible to look at and use. It's like taking a trip back in time to 1998, and not in the good "hey man, let's surf the information superhighway!" way.
