Originally Posted by
gfunkdave
Furthermore, I disagree that programs like Keepass are any better. If anyone gets access to your computer and downloads the Keepass file (or if you contract some malware that sends it to someone), then you're vulnerable to the same attack. In fact, you're doubly vulnerable, because you can't simply change your master password. That would only re-encrypt the password file on your computer, not the one that the hackers took.
That's not doubly vulnerable; lastpass sends your computer the same stuff 1password or keepass would store locally, and there's nothing stopping an attacker who gets access to that information from storing it for an offline attack (which would still take thousands of years).
Really, any password manager that allows you to use long and difficult passwords without the fallibility of human memory and randomization is fine. If somebody really wants to get you, they'll always be able to use rubber-hose cryptanalysis, and anybody who wants to just do wanton damage will find other peoples' crappy passwords first.