Have either of you used LastPass? Its possible to login to your account via the website without downloading/installing anything. Therefore the password does get sent to their servers.
No. Thankfully the concept of nonces and hashes solved that problem decades ago.
(Yes, I'm a LastPass user)
2. Not using lastpass for the most valuable passwords such as those which give assess to bank accounts, money, bitcoin wallets, and most of all "other people money".
I keep my Bitcoin wallet password in LastPass, and I backup my wallet with Wuala. Thanks to client side encryption, that's just as secure - or more - than any known alternatives.
Disclaimer: I would of course prefer it if I could authorize signed snippets of JavaScript when using LastPass, and it'd be excellent if Wuala went open source. I do however trust those two companies more than I trust any Bitcoin or Bitcoin service developer. If there's a leak, it's likely not from the services that would have a lot to lose.