[Esophagus4]

> I assume non-technical people ought at least be able to put their KeePass files on DropBox?

Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.

Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.

[Ukv]

> > I assume non-technical people ought at least be able to put their KeePass files on DropBox?

> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.

Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.

> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.

What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.

[Esophagus4]

For other types of files, I have different apps: Obsidian Vaults with Syncthing, but that’s not accessible from the internet. And I like having my passwords across all my devices, updating anywhere I am.

And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.

[Ukv]

> For other types of files, I have different apps

How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?

> And I like having my passwords across all my devices, updating anywhere I am.

That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.

> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.

What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).

You don't need to host anything for KeePass - just plop the file next to your notes/etc.

Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.

[Esophagus4]

> What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).

Talk to your local security engineer :)

On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.

[Ukv]

> Talk to your local security engineer :)

You made the claim - I'm interested to hear why you believe it, because I suspect it's based on a misunderstanding of how KeePass works.

> and think they can just stand up businesses without understanding the domain

Using KeePass is not analogous to standing up a business.

[Esophagus4]

Ok - I made the assumption that your (s)FTP was publicly available over the internet. (It’s safer if not, but then you don’t get the benefits of syncing from anywhere that I get.)

If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.

That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.