[tripzilch]

> You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.

That reasoning only holds if it's in fact significantly harder to compromise the software than it is to "simply break in and access Lastpass's storage". If you believe that might be possible, then the security of your password vault basically depends on the differential difficulty compared to "simply break in and compromise the login form / browser extension / update channel to make it do <whatever>".

My point is not that this would be easy, rather that if someone went as far to break in and grab the storage[0], given the sheer value of the data, the barrier to go a step further and compromise the software isn't big enough to make me go "okay well that's all right then, that might happen, but this surely won't".

The biggest difference in risk between those two scenarios is that yes some cybercriminal that is "just poking around" might easier stumble upon access and just grab the vault than to set up a compromised login form and wait--not so much more difficult but just more effort.

[0] which I agree is fair to trust Lastpass to have properly encrypted, cause if you can't trust the people you pay $12/year to keep your most sensitive data secure, then who can you trust?