Lastpass stores encrypted passwords on their servers, but each device you have maintains a local cache. As a whole, I've been impressed with LastPass's dedication to security and openness when things go wrong. Several months ago, for example, a routine audit of their systems showed that someone may have been able to download encrypted hashes of people's passwords and the server salt. If it actually happened (they weren't sure), then at most 50-100 accounts would have been compromised if they were using weak passwords. So LastPass made all users change their master passwords, thereby making the purported theft, if that's what it was, useless.