Until a hacker or LastPass employee changes the codebase and allows a backdoor that grants them access to everyone's unencrypted information as each user logs in.
This would be very hard for this to happen as your password never gets sent to LastPass, all the encryption happens on your computer.
I'm not sure I follow this, the master password or at least it's hash must be sent to LP in order to log in. If, when you log into the website using your master password the webpage hashes the password and then sends the password to the server for verification that still leaves the website as an attack vector where the login could be sent plaintext to the attackers website before being hashed and sent normally. Even if it's hashed normally, the attacker could just intercept the hash and then continue to use the same hash when accessing the site. Am I missing something on the way LastPass works?
When you use the client I belive it downloads a nonce as part of the authentication rendering a replay attack improbable.
LastPass was not the weakness here. The interesting point, which I have not seen anyone point out, would be:
Why on earth would anyone in their right mind select a UUID for a master password? There are only two possibilities I can come up with:
1. They all knew it was the Mt.Gox key so they could copy/psate it anytime they needed.
2. They had the 'remember password' option selected in LP.
Why anyone that knows *anything* about security would think that either of those options was good is byond me. They would have been worlds better by selecting a known phrase such as "We all live in a yellow submarine" easily remembered and told over the phone, etc.
several of us have pointed out how minsguided it is to use any common indentifier as a password. I also find it hard to believe their big time fiancer Tihan, would not reconize it as being the API for their GOX acct. Them not changing it is no different thatn if the password had been one of their birthdays and not chaning it.