I do like LastPass, but my only grumble is that I would prefer that I could set it up and use it without any interaction with LastPass servers. In short give the user/paying customer absolute control over how they want their passwords and account details handled.
Whilst there is much to laud over all the security features it offers (claims) and how it encrypts and decrypts data locally before interacting with the server, I can see no reason why it cannot be designed to function as a standalone product that does not ever have to upload to lastpass servers unless I explicitly want it to do so.
Put simply, why not just add a local tick-box option that will completely disable uploading my passwords and data to lastpass servers.
Today we are increasingly, by choice or compulsion, having to run our lives via internet enabled services. I think lastpass should just give me total control, profit motives may mean that it has been designed so you HAVE to use the online service for it to be practicable, why? It must be technically very easy to enable a standalone function.
I would suggest that it's PocketPass. or LastPass full-stop, software be developed into a fully fledged standalone piece of software, akin to roboform.com and make the online service an option, as roboform and other similar software does. When an online sync has been enabled, options should exist so the user can choose which passwords/accounts are kept on lastpass servers and which are kept locally.
Anyone trusting online services should always remember that the account security can always be bypassed by law enforcement, in ways similar to HushMail:
Encrypted E-Mail Company Hushmail Spills to Feds http://rinf.com/alt-news/sicence-techno ... s-to-feds/
As LastPass is in a US company and post 9-11, we have to assume we can place trust in a society that deploys warrantless wiretapping (http://www.eff.org/issues/nsa-spying
) on a wholesale basis and legislation which has no protections for anyone deemed not be be a US citizen, or who is but outside it's borders, therefore allowing all forms of phone/internet wiretapping to be conducted with impunity.
On yes, it might be worth noting that it you have a copy of a users backup file and assume it can only be accessed with 1) an account email address, 2) password and if enabled 3) a multi authenticate grid, remember that the the grid is not needed if you use PocketPass to access the backup file. Also, why does LassPass make it so difficult to keep a local copy/backup of passwords.... Does it like a design that created dependency on it's online services?
Laws exist in the US and UK that punish those who, in certain situations refuse to disclose passwords to encrypted data, with a penalty for refusal being a loss of liberty and the 5th amendment like defenses are excluded.