[Ukv]

> > I assume non-technical people ought at least be able to put their KeePass files on DropBox?

> Non-technical people would not do something this complicated. They don’t even have password managers, let alone a setup like this.

Google Drive/iCloud/OneDrive/Dropbox are already used by non-technical users - moreso than SaaS password managers.

> Shoot, even a lot of technical people (like me) wouldn’t bother with this. It’s why I pay for a cloud-based password manager.

What do you do for when you want to access some other type of file across devices, like notes or photos? If you have notes.txt on an FTP server, just put passwords.kdbx alongside it. If you're subscribing to some new service for each individual filetype you want to sync, with nothing for arbitrary files, that seems like considerably more hassle overall to me.

[Esophagus4]

For other types of files, I have different apps: Obsidian Vaults with Syncthing, but that’s not accessible from the internet. And I like having my passwords across all my devices, updating anywhere I am.

And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.

[Ukv]

> For other types of files, I have different apps

How many separate services do you have for accessing files across devices, and what do you do for filetypes outside of what they cover?

> And I like having my passwords across all my devices, updating anywhere I am.

That's how it works for me with a passwords.kdbx file on my FTP server (but any cloud storage works). Same for any filetype.

> And for me, it’s just not worth the headache (and security risk) of hosting my own password manager.

What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).

You don't need to host anything for KeePass - just plop the file next to your notes/etc.

Headache seems greater overall if you're juggling a large number of subscriptions, particularly when they start ramping up payment or moving features you rely on to higher tiers.

[Esophagus4]

> What's the security risk? If anything, it's SaaS password managers that seem to semi-regularly get hit with breaches (well, mostly LastPass).

Talk to your local security engineer :)

On a venting note, this mentality is a frustration I have with SV, because I see it a lot. They don’t know what they don’t know, and think they can just stand up businesses without understanding the domain.

[Ukv]

> Talk to your local security engineer :)

You made the claim - I'm interested to hear why you believe it, because I suspect it's based on a misunderstanding of how KeePass works.

> and think they can just stand up businesses without understanding the domain

Using KeePass is not analogous to standing up a business.

[Esophagus4]

Ok - I made the assumption that your (s)FTP was publicly available over the internet. (It’s safer if not, but then you don’t get the benefits of syncing from anywhere that I get.)

If your FTP is open to the internet, you are now responsible for alerting / monitoring, IPS/IDS, proper config management, routine automated patching, IP allow/blocklisting… all of these things require regular maintenance. Even if you stick it behind a VPN, you will need to patch, alert on, and configure the VPN and everything behind it as well, as VPNs can be compromised.

That’s why, unless I really wanted to spend time hardening the spit out of it, there’s no way I’m self hosting my passwords. I’m happy to just pay a password manager to handle all of that.

[Ukv]

> you are now responsible for [...] there’s no way I’m self hosting my passwords

You don't need to host anything new or take on any patching responsibilities for anything you weren't before. I already had an FTP server, so put it on there. Wherever you already access arbitrary files across devices (you didn't answer what you do for files outside of your filetype-specific subscriptions, but I'd assume you just have iCloud or something) should work fine.

Not that there are zero reasons to use a SaaS password manager, just that I disagree Keepass is somehow insecure or prohibitively technical for regular users. The solution a lot of people already seem to gravitate towards (if not just password reuse) is "passwords.txt on Google Drive".