These days, it...
- Let's you use it on all devices for free (which used to be a paid feature; I think you could use it on up to two different devices for free but beyond that, you had to pay)
- Has apps for everything (authentication, Windows phone and all other common devices, though I'm not sure about Mac/iOS)
- Can be used with many forms of authentication for two-factor
- Has its own security challenge tool that...
- Checks if email addresses are involved in known website hackings
- Checks length and overall security of passwords, and for password duplicates
- Automatically changes duplicate passwords and passwords on known compromised sites by running what appears to be a macro (which is pretty neat to watch, but sort of hammers Firefox to a crawl)
- Only costs $1 a month to upgrade to Premium, I mean...*smh* that is cheap (if Dreamwidth were that cheap I'd be like, "Fine, treat me like crap, here's more paid time")
It also does minor things which fill me with joy: if you manually copy a website password from the add-on dropdown or from within the vault (and I do this a lot for cross-browser website testing) it only lets you paste it once before destroying it (of course, if the paster pastes it into Notepad or similar then all bets are off, but if they don't - and I'd imagine the majority of home hackers stealing your password won't even think to - it's yet another way to minimize disaster).
And it destroys your add-on dropdown searches as soon as you complete them. And it keeps a list (if you want; this is opt-out) of recent sites you've logged into in the add-on so you don't have to visit them directly to log back in. And I could go on but there's other things I want to do tonight.
People will always find vulnerabilities in password managers (which I say because all code has holes in it). In fact, I'm surprised most of the vulnerabilities in password managers popping up these days weren't exploited years ago*. The only things I can think to thank for the discrepancy between potential for exploitation and zero-hour are increasing code knowledge and increases in processing power, which was not great enough until recently to get such holes out into the open.
*In the Lastpass forums anywhere between 2007-2010 people who claimed to be home users and/or pro hackers would say: "Look, there's got to be holes in this code somewhere" and the Lastpass owner himself would jump in to deny it and I would spend days wondering how anyone who codes could do so. It's like denying shoelaces need to be tied lest you trip on them: you can deny there are holes but keep that up long enough and you'll just fall in.