TIL about the merge functionality! You can also use Syncthing to synchronise the databases between your devices; if you don't have public IPs for your devices, this essentially means that you can only synchronise when two devices are on the same network -- but this might not be a problem for you.

You can also use Syncthing and the merge function! It comes in very handy when two devices have made changes to the password database file and you end up with merge conflicts :D

Syncthing works great even behind a NAT, not sure how it works but it just works for me (might depend on your NAT though)

I've had zero success with nat hole punching in the past, on multiple networks. Maybe I'm just unlucky. :)

Some routers have UPnP disabled by default, maybe enabling that would help?

Same here, I use KeePass on several Windows machines, and on a couple of Android phones (using KeePass2Android). I use a cheap VPS as a central point for syncing - so I can make changes on any machine, then sync them over SFTP, which merges the changes into the database on the VPS. I can then hit sync on any of the other machines, and it will pull down the latest database over SFTP and merge in the changes.

It sounds a bit complicated reading this back, but in reality it's pretty straightforward.

why not just use dropbox? and secure dropbox using 2FA?

FWIW, I used to run nextcloud on a ec2 instance. Decided to just use dropbox instead. the webdav support on nextcloud was neat with keepass

My whole point was I like to be in total control my password database, and never have to decide whether to trust a third party provider or not.

Not saying Dropbox or lastpass isn’t trustworthy. Just that it’s a point of failure you can eliminate, if the lack of convenience isn’t a huge deal to you.

I might take that back :) currently trending on the front page, a real article about Lastpass master passwords being compromised. https://news.ycombinator.com/item?id=29716715

So yeah, take Lastpass off the list, I don’t trust them :)

I have the VPS for others things anyway, and I don't use Dropbox.

I absolutely agree. I love KeePass and use it for everything... this LastPass account was setup to share passwords with others at an org that I worked at.

The problem is... that LastPass password, the one stored in KeePass, is presumably the one that was leaked.

Which is what is spooking me -- if someone has access to my entire KeePass file, it's game over.

Wow, you were ahead of the curve here @gregsadetsky! Looks like real news articles are coming out about this now! https://news.ycombinator.com/item?id=29716715

I feel like the proverbial canary in the mine. Well, a dead canary...

So...when you say "...was setup to share passwords with others..." is there a chance that this also means the master password was shared with one or more others?

Sorry, no, that was a confusing way of phrasing it.

The LastPass account that was almost-breached today uses the "password sharing" functionality to share passwords (to certain sites) with other people in the same org.

I was just explaining that the only reason why I have a LastPass account was to share passwords. (not the master password, obviously -- I was sharing passwords to other sites)

I typically use KeePass for all of my (site) passwords and keepass stores all of this in a local encrypted file.

Yeah, hard to say. I don’t think it means it’s ‘game over’ though. I think it just means you might need to go through the tedious process of walking through your whole DB file and update every password. And generate a new key file. Then and only then will you have peace of mind I think. Good luck!

Just configure keepass to sync with a file stored online when opening or saving the database and you have the same convenience. Syncing the main database file itself fails if different systems change the file without reloading in-between, but with sync configured it works perfectly.