Always amazed when I hear people use services like LastPass. Your password. In someone else's database.
I'm not saying LastPass (or any similar service) is bad. I am however amused at the anger we display when the likes of Path upload our contacts without our knowledge, while we voluntarily give our most sensitive data (passwords, and the locations they're used at) to a third party to manage.
1) Using LastPAss doesn't mean one stores sensitive passwords in it. You can memorize a few that really matter (email, bank, etc) and keep the rest there.
2) They claim it's secure:
This is important because your sensitive data is always
encrypted and decrypted locally on your computer before
being synchronized. Your master password never leaves
your computer and your key never leaves your computer.
No one at LastPass (or anywhere else) can decrypt your
data without you giving up your password (we will never
ask you for it).
An alternate, and which I use, is 1Password which doesn't store our database of passwords and whatnot on their services as it's a local file. You can sync it with Dropbox and it's therefore on Dropbox's servers but it's secured in some way. I remember trying LastPass but dropped it because of security worries.
You're definitely right about it being amusing at what get's people in a row. The main difference between this and the phone apps is that they deliberately chose to place their data with LastPass. So, it seems to be not the content but the authority that matters.
Remark: As far I know 1Password does not encrypt everything. Lets say you store a password in 1Password for twitter.com then the password is being encrypted but the information that the password is used for twitter.com is not. So someone could find out that you are using twitter simply by going through your 1Password file. This may be a problem with sites that are not as harmless like twitter.
I don't know how similar online password managers work, but I use PassPack. They store your whole encrypted password file in one field in their database, and the encryption/decryption is done only on the client side. The key is never transmitted over the internet.
This doesn't do anything to defend against client-side malware, but at least if their database is stolen the bad guys will be unable to decrypt your passwords (as long as your passphrase is strong enough.)
There is a weakness - they keep historical versions of your password file. Presumably because some customers forget their new passphrase but remember their old one and so they can recover their file, less any edits since they changed their passphrase. But if you changed your passphrase because your old one was compromised, the bad guys can now decrypt the old version and have a chance to get some still-current passwords from it.
I'm not saying LastPass (or any similar service) is bad. I am however amused at the anger we display when the likes of Path upload our contacts without our knowledge, while we voluntarily give our most sensitive data (passwords, and the locations they're used at) to a third party to manage.