Ya that was my first thought also, but everything is encrypted first before being sent to them. Also:Can a feller trust the security behind it?
Do you use a salted hash for login purposes?
Yes, we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database. This is beyond overkill but we want to store nothing that can even theoretically be used to do a dictionary attack against password hashes if LastPass' servers were somehow compromised. We hope having nothing of value makes us less of a target, and that by taking every conceivable caution we can think of makes you more safe.
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. Itâ€™s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.The Intermediate Guide to Mastering Passwords with LastPass
LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is whatâ€™s used to tell LastPass that you have permission to access your account.
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you havenâ€™t enabled two-factor authentication you should do that immediately here.
Risky yes, but if they do their job right the risk is minimal. It's better than using a handful of base passwords with some variations across numerous sites, or having a unique password on every site and storing those passwords in plain text somewhere (a piece of paper in the house, a digital document, etc)I would stay far away from this. You can NEVER trust any form of online security, especially putting your passwords in one or any website really. It's bad enough if an individual site gets hacked like eBay, Paypal, Google, etc..., but I was always leery of password saving sites, too big of a target. I don't care if they make it out to be not as bad, it's just too risky.