Joe answered this question on another forum earlier, so I will just paste his response:
We're standing on the shoulders of the open source movement to make LastPass.com happen,
and nothing would make me happier than to release it as open source, but we can't do that right now.
We can release an open source version of how our encryption works (the website is this already actually),
and using that you can audit it, and compare it to what we upload and download -- since we're just storing
the locally encrypted data at LastPass.com, if you verify our local encryption implementation you can safely
use LastPass because LastPass is just storing that encrypted data.
So, in short, you can currently verify that we're LP is doing everything as it says it is by viewing the
source code of our website and sniffing all traffic leaving your computer. You can reverse engineer the
encryption and decryption algorithms and how we use the credentials you supply to create your secret key (we're using AES 256).
You could go even further and implement your OWN AES 256 routines to decrypt/encrypt the files that LP stores on your
hard drive - provided you know your username and password of course.
For site sharing, we use RSA to sign/encrypt/verify/decrypt.
And again, you can verify this is true by sniffing what leaves your computer and arrives
at the destination computer.
We really want everyone using lastpass to trust it implicitly.
So in time, we might open source all of the front end local encryption/decryption stack and/or
have a trusted 3rd party verify/audit everything LP does.
Thanks for using LastPass!