1Password publicly documents their security model, if you want to verify it inspecting the HTTP requests is fairly straightforward. I assume Lastpass does the same, but as I don’t use it I haven’t bothered checking.
I hope not. If they demonstrate that capability and word gets out then that will end their business. If they can give law enforcement access to your passwords then the employees of the company have access to the passwords too.
I appreciate the “hope”, and I sympathize with the general view but I think the probability of a law abiding corporation to divulge this info to the American government approaches 100% across a few years, provided said corporation actually has the data (cf iPhone access codes).
That’s why you should put a pass phrase on it. Firefox syncs my passwords but has to ask for my master password at launch. Same goes for Google Chrome’s passwords: they’re encrypted at rest and can’t be displayed online for that reason, you have to sync with Chrome.
