Normally I would agree with you, but given the level of breach suffered here AND the ABSOLUTE lack of transparency by the company, I wouldn't rule it out as an unreasonable concern.

With all the government supported bad actors in the world today the threat landscape has changed. State sponsored hacks designed to cause economic damage are becoming more and more common place. Sites like this are huge targets.

For the home user this is a difficult game but for the enterprise a well designed self-hosted solution (bitwarden for example) is the way to go right now IMHO.

Any of the big "public" cloud options are just too juicy a target. It is fairly trivial to set up your own reasonably redundant manager now if you're a company. The real issue is for the home user going forward. (But most home users have such horrible security posture i suppose it doesn't matter either).

What I meant by destroy the vaults is corrupt them. Then your devices syncs the corrupted one. Done.

As for the use case, fair enough. I don't know I've ever had that issue as my physical devices all have passwords I remember and their passwords never leave my brain. If my physicals get compromised it is game over for everything else as far as I am concerned.

As I understand it a lot depends on when you started using the service, including the number of rounds used on the master password.

Next question; what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.

My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them. Anything can be lost, and with these companies getting breached at this level (including some having backups deleted) I don't think THAT is the argument to use.

Finally, I am genuinely curious; when have you used lastpass in an offline state? Like why??? LOL If your network is down, what are you signing into you don't have memorized?

"And the tools to decrypt it are where?" is what I asked you. After stating lastpass can go down. You could have corrected me without the attitude but no. The big bad keyboard warrior has to talk down to people about something. And my follow-up question?

I have used it. I have never tried to use it in an offline state. I asked a question. Forgive me for asking a question. So sorry I don't know everything like you obviously do.

Edit: but since you are so knowledgeable, let's say I updated a bunch of passwords on my office device and haven't used last pass at home for a few days. When does last pass sync its database to "every device" as you said.

And the tools to decrypt that are where?

Because the story keeps changing. First it was September. Then right before Christmas they dropped news about how bad it was. Now it was apparently earlier. A company who's job is based entirely on being trustworthy has been anything but open and transparent.

And last pass could have an outage or go bankrupt. Lots of arguments on your side, but you picked two bad ones.

Local is the big part here. Password manager sites just are too big a target.

It does if a site did something stupid and included something useful in the url that lp has stored.

Edit: it also makes phishing much easier. That Metadata can be used like this:

You have an ms account and an Adobe account. I know because I have your Metadata. I send you a sophisticated phish saying that Adobe is no offering to link to your ms account for single sign in. Just enter your Adobe and ms ids on this form...

It might not hit you but it would get a lot of users.

I have heard both options from reputable sources. Normally I would trust the company statements, but given their handling of this I trust NOTHING that touched them.