With respect to the password-creation problem, I find the entropy of the passwords LP creates too low in any case, so I create them from /dev/urandom + base64. I've never had LP fail to recognise these hand-generated passwords.
> I find the entropy of the passwords LP creates too low
What do you mean? How are you measuring that? How do you think that would make a password of the same length and character set less secure in a practical way?
You can change the password length to whatever you want... and your link says it uses window.crypto functionality which appears to be supported in every single browser including back to IE11. [1]
So it seems like LastPass-generated passwords are fine?
Probably. But in the link I posted, did you notice the qualifier "as secure as your browser's implementation of the Web Cryptography API"? Also, AIUI, Webkit implements no PRNG so some Webkit-based browsers might have stupid implementations of the SubtleCrypto object.
The thing is, there is a chain of things you have to trust wrt the LP generator: Has the OS implemented the backend API correctly? Were there issues in the browser build that mess up the entropy derived from the OS seed? Has the Javascript done anything stupid?
In comparison, I have complete confidence in the entropy of the passwords I generate via CLI.
Wrt. password length: yes you can change it. But the dialog is a bit of inconvenience that tilts away from the hassle of switching to my terminal and typing "suggest-password". And I have something of a moral objection to password generators that default to insufficient entropy.
