`pass` is based on well-established cryptography implementations: GnuPG. GnuPG is recommended by many security experts and used widely by journalists dealing with sensitive disclosures, e.g. the edward snowden documents.

It also doesn't try to NIH some complicated database format or syncing technology but instead uses well-established software (git, plain directory structure and gpg-encrypted text files) which makes it robust, flexible and future-proof, and also responsive to changes in cryptography as it benefits from upstream GnuPG updates. You can use any PGP key structure you want, or even hardware PGP devices like the YubiKey.

KeePass on the other hand seems to be based on mostly homegrown techniques written by people with no or limited understanding of cryptography. (see e.g. [0]) That said, I don't know how much KeePassX continues this trend - but it's based on the same file format so it presumably has to reimplement at least some of KeePass's homegrown crypto.

I don't know how much more convincing you need, but personally I wouldn't even dare consider using anything other than `pass`.

[0] https://news.ycombinator.com/item?id=9727297

Thanks! I'll definitely migrate to pass soon.

One big difference: pass only encrypts the password. All metadata is plaintext, so anyone can see a full listing of what online accounts you have.

That's a dangerous oversimplification. By that logic "LastPass is as safe as AES as that's what it uses" which is obviously not the case.

A system is as secure as its weakest component.