> If you have the hash and algorithm used to generate it of a human generated password you can in the vast majority of cases get the password.
I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)
The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.
But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.
I mean, technically this is true, but it's also true if you have the ciphertext of the stored-password database, which is sort of LastPass's entire job. ;)
The only thing that might make it harder to brute force the master password with the latter than with a hashed password database is if the key derivation algorithm differs.
But I think your blanket statement is sort of misleading. In principle, if you trust someone with your encrypted password storage database, you should trust them with a hash of your master password; both serve as brute forcing oracles.