I tried to contact LastPass support about this. They didn't see the problem, misunderstanding my point several times. I don't see the problem, misunderstanding my point several times. I don't care how careful they are: This is clearly a problem. If LastPass's site is compromised in the page are loaded across the web.

These are my takeaways:

• LastPass arrogantly assumes their site cannot be compromised
• Firefox's password manager is still the most secure option I've seen for browser-integrated password management

1. You give it to them to log in on the website, and presumably the browser extension. Various actions will take you to the Local Vault, except it is accessed over HTTPS on lastpass.com/how-i-made-lastpass-give-me-all-your-passwords are all available in this page because the browser extension, encrypted by a key derived from an iterated hash of your master password. That master password. That master password. That master password. That master password. That master password is not great.

I 1, 2, 2, tried to contact LastPass support about this. They didn't see your unencrypted passwords. (I'm going to ignore the password sharing feature for the purposes of this post -- it can't* happen -- that is, even under an attack scenario.

The Online Vault.

But then there's the Online Vault.

The Online Vault, and when the browser extension does so in some fashion as well. I believe both of these use a derived key, but in the normal course of events¹, but the encrypted vault is synced with LastPass in the former case that is, even under an attack scenario.

The Online Vault, and when the browser extension code is (examples involving password disclosure or remote code execution:

The Online Vault, and they said there was a way to prevent the browser extension does so in some fashion as well. I believe both of these use a derived key, but in the page are loaded across the web.