Perfect if it can be trusted Rated 4 out of 5 stars
I'm still not sure on the trustworthiness of Host-proof hosting and won't be until there is a central body which certifies all releases of clients to make sure they companies are doing as they tell us. Or perhaps a far better solution would be one library which is part of the Firefox core which handles the sending of such data to these servies. We would need to be able to tell firefox to never let a certain extension call home, except via it's api for that library.
Until such a day, I quite reasonably can not trust such apps and neither should anybody else. However I will use it to store logins to non important sites that I want to be able to access from anywhere.
However, aside from the trust/security problems with the extension, technically it is perfect and is everything I have ever dreamed of in an online password manager. It works just like the Firefox default manager, except it's stored online. You guys are legends for pulling this off!!!
end of review but I continue with a more detailed report of the entire setup of the service on my pc, including the install and config of this extension
However while the final product is perfect, the install process and initial configuration is scary as %#$@. They get me to download an exe from their site when I could have just used this xpi!!! They then talk about removing my passwords from my computer and disabling the Firefox manager!!! Regardless I made a backup of everything as it was apparent they would try to do things without my permission.
After reading this I was keen to see if they in fact could do as they say... but no, they asked for my master password, to which of course I hit cancel and then cancel again when it asked a second time. They then tell me that they can't find anything... HA! Stupid assuming FAQ entry!!! I was hoping that because I had not given them access to the passwords, they would not do anything stupid like disable it anyway or delete the file, but their phrasing in the dialog boxes wasn't at all comforting. Thankfully they left everything as is because I did not give them this password, however I then had to install this extension which for some reason was not added after the initial install (which now knowing about this extension, I wish I had never run).
I install the extension and they yet again ask to grab all my passwords from firefox and I say "no" yet again. Then I go to a simple site that I don't mind giving away the password for. The default FF master password box pops up as there is a login form. I enter it and it auto fills my the login details like norm. However as soon as I submit the for that's when Last Pass kicks back into action... it comes up with a branded version of the "Save this password?" bar that firefox normally uses and allows me to save the password to their service. Perfect!!! I love this, it's great!!!
Once set up using the method I described (starting at the xpi, not the exe) this should be a great way of keeping everything backed up on your own pc, but at the same time, making it accessible via their online service. Also it means that they are never actually reading from your password manager, so you don't have to trust that they won't automatically send everything to their server and won't go and delete everything either. This is how it should be, I want them to see what I want them to see, not everything like they are trying to do. Also why the hell should the password be deleted from my system? That is a big mistake!!! What if their company goes bust and they can't afford to keep everything running. There go all my passwords in one go because they deleted them from my system and now can't afford to keep the servers running so I can get my stuff back. Or it could be a fire or flood or data corruption or anything. This is my data, so they shouldn't be auto deleting it!
But yeah if you follow my setup path and only use it to store non critical passwords until they fix the trust issue I mentioned, then you should be fine and this should be quite a useful extension.
A few clarifications to your comments
LastPass lets you choose exactly what passwords to import -- most people do not use the Master Password feature, and also have IE passwords lurking on their PC, so we believe the best place to start is actually at https://lastpass.com/lastpass.exe
You can export all your passwords even if the company was gone because a local (encrypted) cached copy is kept every time you login, and you can login when not connected to the internet.
We ask you to delete insecure passwords after importing -- We have 2 data centers already, a strong backup policy (including offsite), and your local cache of your passwords -- this is likely a lot more than you're currently doing to keep your passwords secure -- and this is all with encrypted data that we can't access. Again we ask, and do it for your protection. Viruses are out there that collect passwords off the computer; we want to protect people from them.
At every step of the way we try to do the right thing that puts you in command of what's happening with your data.
Regarding trust; you're right you need some level of trust to use our service until releases are vetted by a 3rd party, but that trust is limited to LastPass not releasing a new version with malicious intent: your usernames and passwords and notes are always encrypted and decrypted locally, and LastPass never has the key.