I don't use LastPass, and will not use any of these systems due to these issues. I also utilise two factor auth where available.
After my PayPal password got cracked a couple of years back (it was 8 random letters which I'm pretty sure I used elsewhere on other sites, and is now pretty weak by today's standards), I now have my own scheme of using *extremely* long random passwords, with each account on each website having a different one of these passwords.
I do not attempt to remember these passwords, nor do I write them down or store them anywhere. I have my own way of generating them when I need to (not hard to do) based on a script, giving that script "initial starting conditions" (a fixed 512 string of random bytes, the website address and master password) using partial hashes so it can "look them back up" if those initial conditions are correct. It then follows a procedure of hashing mechanisms to arrive at a password space of 1 million possible passwords of which, one of those is selected (a sha512 hash) which is converted to a base64 string giving 80 characters that can be used for a password. I tend to use a sub-substring of this string, 20 characters usually, as most sites don't allow passwords with a length of more than 20 characters (I would use 40 if I could). If a site becomes compromised, I can just pick another one of the million passwords from the same password space and update everything to use this new password instead.
20 characters gives a password space of 1.3 x 10^36
40 characters would be 1.8 x 10^72
80 would be 3.1 x 10^144
A key-logger would help you crack any account I have (I suppose) but that is where two factor auth comes into it's own. If you also grabbed a copy of my script, you would then need to know the master password I used (and it may not be the same master password across all websites) and also the websites I have accounts on, because as I said, not even that information is stored anywhere - it is ALL one-direction (not the boy band) hashed only. If you are unable to provide my script with "initial starting conditions" which lead to a password being "found", then it really is like looking for a needle in a haystack because you don't even know what you should be looking for.
So yeah, seems to work well.
PS - Just done a Google search of the md5 hash of my old 8 letter PayPal password and it shows up. That's how insecure this all is - laughable really. I suggest anyone do the same and if you get a match on Google search, change your password(s) ASAP!