Wladimir Palant, the well-known creator of AdBlock Plus, has published a blog post which should be very concerning for every LastPass user. LastPass has published a post which shows that they have fixed at least some of those flaws detecetd by Wladimir. Nevertheless, Wladimir's conclusion is: I'm happy that I switched to KeePass a long time ago.
I rely on a password manger and it IS cloud based. In theory and according to source code it too is a zero knowledge architecture, which means the device encrypts first and sends only after. I do add the security of pure U2F as a requirement to gain access to my vault. Even if the password and username were completely compromised you aren't getting in without my U2F chip. I suspect this Last Pass examination didn't examine that contingency. Repeated issues with LP caused me to avoid considering them as final candidates for my Trust.
I also think this cloud based stuff is a huge risk. It only makes sense if want to you login to websites from devices not owned by you.
Or frequently changes passwords and/or opens new accounts... As Palancar noted cloud-based password storage can be secure (confidentiality), if designed properly. I still use KeePass and KeePassX, because I am used to that. Bitwarden looks more promising than LastPass privacy-wise, but I haven't researched this topic enough, because I don't use it.
Actually, I forgot that it's especially handy for synchronization of all passwords if you use multiple devices, so it's not correct what I said. So it's no surprise that password managers became so popular. But I still see the cloud as a risk, I rather store data locally.
