There's more to it than just whether it encrypts or not, but how it manages the ability to decrypt. Lots of pw managers encrypt and use a strong algorithm to encrypt, but leave the key to decrypt under the proverbial doormat. Others make brute-force attacks comparatively easy (another poster talked about account lockout after so many invalid attempts, and this person is absolutely correct, but if I'm the bad guy and I can steal your password database from your smartphone app, I can basically ignore that requirement. See the LinkedIn password breach for another instance of how this can work).

Long story short, it's complicated and just because "it encrypts the passwords" doesn't mean it hasn't done something stupid and vexing.

That said, Lastpass does a lot of things reasonably well. It had a fun incident last year (http://www.theregister.co.uk/2011/05...assword_reset/), and it certainly makes you wonder about the idea of a *service* where some other company has so much control over your key credentials, but they should be pretty motivated to do things well.

I can't stress enough that you shouldn't use the same password for more than one thing, and really think long and hard about using your Facebook/Google/whatever account to authenticate to some other service.