Can an online password vault, like LastPass, be defended through a security assessment that demonstrates the value they provide outweighs the risks of being a high value target?

LastPass is "safe" for most use cases. I suspect that Edward Snowden and Julian Assange do not use it however. (If you're not familiar with these guys, they're both on the run from the US government for releasing classified data).

An important feature of the LastPass design is that their cloud systems never see your passwords. All your passwords are encrypted on your device, using your master password. The LastPass servers only ever see the encrypted passwords. That is a major technical mitigation and makes me happy to use LastPass.

Safe does not mean zero risk. A colleague of mine found a Chrome zero-day that allowed any web site you visited to steal passwords from your LastPass vault. But all web browsers have had a number of similar vulnerabilities, and despite this, they are generally considered "safe" for typical uses.

When possible never use third parties to store sensitive data example: passwords.

Just by taking a quick look at: https://lastpass.com/how-it-works/ In theory they have taken all industry standard precautions and should be safe if you trust them. They also allow you to store credit cards etc so Im sure at the very least they are PCI Compliant (although I cannot answer with certainty they are required to be pci compliant).

However I can't find much information on the "cloud based platform" you are asking about. It looks to me like its the same setup but just stores the data on their servers instead of your computer or device. (The data from their cloud service to your computer is it Encrypted end-to-end? etc)

Placing all of this data in a centralized location will cause more interest for an attacker. So always keep this in mind but then again if everything is done correctly the attacker will not be able to obtain the data you would like to keep private.

