[PuffinBlue]

I use LastPass and KeePass extensively in the setup you outline.

Why do people use LastPass? Convenience, and you aren't really gaining any extra security (except through obscurity) when using those other services.

LastPass encrypts and decrypts client side, their cloud only synchronises the encrypted blob. This is what is happening in the KeePass + Cloud service scenario too.

You gain a little security through obscurity as you'd probably need to be attacked as an individual, but mass breaches are not unknown (Dropbox for example) and at that point you have no more security than LastPass.

KeePass does have the keyfile feature, which is a particularly nice version of two-factor authentication, but LastPass offers various options - including One Time Passwords (Sesame), YubiKey and even good old fashioned offline paper grid method (arguably more secure as you have a an air-gapped authentication method).

LastPass has fantastic apps and plugins that make using unique high entropy random strings for your online accounts absolutely painless. The plugins are better and more widely available than the KeePass versions.

I've said it in another comment, but it comes down to trust in the encryption method. If the method is properly implemented then the overall scheme is secure (save for other attacks like keyloggers which both would be susceptible to).

[hawkes]

My problem with LastPass is that the Android app is not for free (ok to me) but I find the price too high (I haven't compared with others and Spain economy is right now pure shit, just my situation).

That's the only reason I'm gradually moving to localy stored Keeper.

[PuffinBlue]

The Android app is actually free.

The use of LastPass on mobile is part of the Premium suite which is $12 a year. I'm just a normal user (though I seem to be commenting a lot on this particular story I know!) and I think it's a fair offering.

[deciplex]

Ah, I did not realize LastPass had a client which did the encryption and decryption locally. Thanks for clarifying. Is the client open-source?

[PuffinBlue]

Therein lies the rub, I don't think it is - the main plugins aren't anyway. There is an open source CLI version though [1].

So it's on trust.

I trust them to have correctly implemented it based on the logic that their entire business' existence is build on the security of the platform.

If it fails, they fail, so I trust them to have put the work in and to do continual monitoring.

I have to trust KeePass too, I don't have the skill to audit it myself and the fact it's Open-Source is no guarantee of security (Heartbleed anyone?) so it's all about where your trust point/compromise lies.

[1] https://blog.lastpass.com/2014/10/open-sourced-lastpass-comm...