[groby_b]

That means one compromised password - your master password - compromises all your sites. That's the kind of risk I can't stomach.

LastPass is a huge target, yes - but (if we trust them) the data is only decrypted client side, so they have no access to it. Which means the only viable exploit is in the lastpass browser extension.

[tptacek]

But isn't it encrypted with a secret that is also used to log into their web site, or to log into their API to recover the vault?

[jjarmoc]

This is one of the things that scares me. If an attacker had access to dump their credential digests, could they also have modified the site to silently log credentials upon entry?

From their statements so far, it doesn't seem that happened, but it seems likely that it could.

[dtech]

It's a whole different cup of tea though, this compromise required the attacker(s) to go in, download data and get out. Your scenario would also require the attacker to have changed their site and go unnoticed for any significant amount of time.

If that was the case I'm sure Lastpass would've found out and reported as such.

[ascorbic]

The password is hashed on the client side before sending to the server.

[JadeNB]

> That means one compromised password - your master password - compromises all your sites.

I agree, but it's hard to see how it could be compromised, since it is never entered anywhere public-facing. You can, but need not, have the Firefox extension store it, but only in memory. It is also possible to use the PasswordMaker website (once loaded) without an Internet connection, in case you are worried about it leaking data.

[serf]

Not that it's a cure-all, but one probably shouldn't be using a centralized password store without some sort of multifactor authentication enabled.