If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.
It’s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.
> If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.
I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)
The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.
But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.
56 billion md5 hashes per second for $1.80 per hour at OVH. (single Nvidia Tesla v100 GPU)
Still a no-go for plain old brute forcing all a-z combinations. But, if your password is some combination of actual words, common keyboard sequences, or anything else in a password dictionary, it's cracked pretty quick/cheap.
It’s a combination of people being very bad at generating, remembering, and entering passwords plus generally being unwilling to wait minutes or even seconds to generate the hash on their local computer.