I’ve been a customer of LastPass since last year and felt a twinge of concern upon hearing the news. But my nerves were calmed by the enthusiasm of independent security experts who view LastPass’s security model to be exceptionally well designed. LastPass does not store actual passwords, only the encrypted forms. It does not hold the key to decrypting them — only its users hold that. It doesn’t even store the user’s master LastPass password, the one used to gain access to all the others: this, too, is encrypted before it is sent to the cloud and arrives at LastPass.