Videos
I wanted to hear from you guys, users, who are hopefully real and not bots. Why is LastPass trustworthy? And is it not risky to keep my passwords in one program, wherein someone can take it all in one swoop? Are there alternatives? Thanks so much in advance for answering!
LastPass doesn't store your passwords. They store an encrypted block of data that you synchronize among your devices. As long as you don't do something like use a weak master password, or share that master password, attacks on LastPass really won't gain the attacker anything.
Likewise, their response to people discovering potential vulnerabilities has been exemplary. The folks at Google Project Zero informed them of something minor on a weekend, and they scrambled their team, blocking the possibility of the vulnerability being exploited within hours, and fixing the problem within days.
Your data is encrypted by your computer. Someone stole their entire database several years ago and nothing came of it.
There is a way to see if LastPass is doing what they're saying.
Use the Non-binary Chrome, Firefox, Opera, or Safari extension. This is 100% JavaScript and open in the sense that you can see it -- you can use network sniffing with a proxy (e.g. Paros) to see that the sensitive data is encrypted with AES-256-CBC from data generated from a key created with the number of rounds of PBKDF2-SHA256 you have setup on your account: http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/ and this is done locally on your machine only.
Then simply don't update/upgrade your extension until you want to audit it again. You could also audit the way we interact with the binary extension to decide if you trust that.
That's a bit extreme for most people, but a number of people and organizations have audited LastPass and liked what they found. LastPass is always helpful to anyone wishing to audit, feel free to contact us if you'd like help.
LastPass knows that it's perfectly reasonable to trust but verify, and encourage you to do so. There's a reason we tell people to utilize the extensions rather than the website: the extensions can't change as easily as the website could thus making them more secure.
Source: I work for LastPass.
Some of these answers are pretty dated, but the subject is important enough that I think it merits revisiting.
LastPass assertion is that they offer a Zero-knowledge proof implementation - i.e. the encryption happens client-side (with the password being the key) and that they, presumably, cannot decrypt the data even if they wanted to. If they're served with a warrant or court order they'll be obliged under law to hand the data over, but it would still be in encrypted form, and then it's up to the respective investigators' supercomputers (or modest GPU array) to crack that. In this regard it's fundamentally no different than storing a KeePass DB in DropBox (which I've seen more times that I care to mention)
That being said....
LP have recently released the source for their CLI client: https://github.com/LastPass/lastpass-cli
It's now up to us to do the peered code-review, so as to validate their claims match up to what's delivered.
Most importantly interrogating the source to see how the DB is generated, encoded & encrypted, if it meets with best standards & practices (or better), weed out bugs (or "unintentional backdoors"), and if the product of the generation matches that generated by the closed black-box implementations - similar thought-process involved in compiling code from source & comparing the checksum against that generated against the binary.
An independent code-review & pen-test from a reputable organization is what's needed IMHO, and so puts it well beyond my own skill-set.
This is not an attempt to steal or otherwise reverse-engineer their UX secret-sauce, where they (rightly) add value & derive revenue from - I'm happy to throw money & clients their way for this, as them making good security simpler makes my live safer & easier - but rather a way for the security community to raise the bar & ensure that those that abide by Kerckhoffs' principle are rewarded for their commitment.