LastPass, based in Vienna, Va., is a relatively new service, having started in 2008. Joe Siegrist, its chief executive, says that from its inception the company built systems to withstand every kind of imaginable threat, including the possibility “that its own employees cannot be trusted.”

LastPass does have a possible vulnerability that Mr. Siegrist makes no effort to shy away from: it depends on the user’s selecting a strong master password, one not found in a dictionary in any language.

If LastPass, or any company that stored passwords in encrypted form, were to suffer a data breach, the risk would be that the thieves could apply a brute-force attack at their leisure, offline, methodically trying every possible combination of characters until a match was found. With a physical safe and a combination lock, the thieves would need nearly infinite patience and a nearly infinite life expectancy to work their way through the possibilities.

Computers, however, work at a different speed.

Mr. Gibson posted a Web page that allows visitors to see how long it would take for a computer to try every possible combination of letters, numbers and special symbols to crack an encrypted password.

Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?

The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)

Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.