Choosing a good key derivation function has always been critical to making passwords work. I guess lastpass didn't do that.
I have not benchmarked these recently, but I fear that they had to compromise # of iterations to give "2012 low-end Android device" some chance of ever being able to unlock their vault. As a result, everyone else is vulnerable. Adding icing on the cake is leaking everyone's encrypted vault. Whoops!
KDFs only add 10-20 bits of security in terms of attack costs, there's only so much you can do to make 8 character passwords safe.
If you control the parameters you can improve that boundary-- say, FDE with a KDF that uses 8GB of RAM and 10 seconds to compute-- but consumer products are limited.
I have not benchmarked these recently, but I fear that they had to compromise # of iterations to give "2012 low-end Android device" some chance of ever being able to unlock their vault. As a result, everyone else is vulnerable. Adding icing on the cake is leaking everyone's encrypted vault. Whoops!