> Because when a seed password is compromised it could mean all future accounts are compromised. So then you have to increment or supplement with some state, and change all past account passwords.

Uhm, no? There seems to be no direct relation between each passwords. So an attacker does not know by default that there is a masterpassword or what it is. For the real word there is no compromising if just login-data are randomly leaked.

A high level attacker who get's to know your used system could use it probably as an attack-vector, but again, that's not what normal people prepare for.

It seems like Lesspass would be encouraging best practices in that case; if you believe your seed password has been compromised, then you _should_ change all of your passwords.

On a similar note, I also think it's bad security hygiene to have accounts on hundreds of services in the first place, if changing all of your passwords is an insurmountable task. Might I suggest deleting a few accounts a day for lent?

> and change all past account passwords.

I don't understand this. In what case would there ever be "past" account passwords that I would have to change?

You wouldn't have to change them, but you'd have to remember the master password for the last "generations" to be able to access the older accounts.

Seems it's prepared for this: "Change generated password without changing your master password. Increment the counter field in your options."