This is exactly why I have never used LastPass, and have always stuck with KeePass (and KeePassXC). It is much more secure to keep all of my passwords locally than in the cloud.
This argument has never made sense to me. Keeping an encrypted password file in the cloud or locally makes no difference. There exists no computer system than can crack an AES256 encrypted document. The weaknesses are in the protocol. Storing the encrypted database in the cloud and downloading it is the same as storing it locally if the decryption protocol is performed locally. If the decryption was done in the cloud I would agree with you, but that is not the case, so the two are the equivalent.
> There exists no computer system than can crack an AES256 encrypted document. The weaknesses are in the protocol.
Well, or in the human-chosen passphrase. There are plenty of systems that can brute force an 8-character alphanumeric password run through PBKDF2 for 100,000 rounds.
So keeping the ciphertext safe is in fact a very reasonable precaution, especially if you have a fairly short input passphrase or are not using a ton of rounds of key stretching.
I simply use a 40ish character passphrase. My primary attack vectors are keyloggers/local malware and browser/extension vulnerabilities, which also apply to a local ciphertext.
You are correct: if the password used to create the key is trivial, then there definitely exists hardware that can guess AES256 passwords even if a KDF is used weakly.
I'm not sure how to read that table. Is that really the cost for a 100,000 iteration PBKDF2?!?
I have not checked 1Password's math--they just come up in the results for "PBKDF2 cost of brute forcing". ;)
But yes, it matches my intuition--brute forcing human-strength keys is surprisingly cheap. (And I don't know if they're taking into account the discount if you have custom ASICs for this, defend against which is the argument made for scrypt instead.)
> Storing the encrypted database in the cloud and downloading it is the same as storing it locally if the decryption protocol is performed locally.
The problem is that, with web-based password managers, you are not only downloading the database, but also the code to decrypt it. A locally installed Keypass requires your PC to be compromised, whereas for LastPass it is sufficient for their servers to be compromised (while not avoiding the problem if you are compromised, either).