Layers of protection
1Password can sync through a couple methods, including locally via Wi-Fi, but when it stores its data on Dropbox, an attacker would need your Dropbox password (plus a second factor, if you enable that as I recommend), and then even with the 1Password package still needs your master password for that data store to be decrypted.
LastPass uses its own cloud-based storage for sync and browser access, which means someone needs to break through just the account layer, but the company offers a very solid array of methods to limit and validate credentials, including several multifactor options.
What this should make clear is that the weakest point in all of these systems is the one (or more) things that unlock your password store. With Apple, because it requires extra steps to validate devices that sync, you're relying on all the safeguards they layer into and offer for OS X and iOS as well as for iCloud.
With 1Password, LastPass, and others, you need to select a master password that's strong, that you can remember, and that isn't a hassle to enter on a mobile device routinely (unless you're relying mostly on Touch ID). Security guru and cryptographer Bruce Schneier has good advice about picking this sort of password, and what to avoid.
I'm not a password Pollyanna: a website with bad security can leave its users' passwords vulnerable at several points of entry. But I am a fan of compartmentalization. Rather than give up and use a weak password everywhere, opting into unique passwords that you'll never memorize and one strong one that you clutch tightly to protect them minimizes the risk you face from other people's bad decisions.
Sign up for CIO Asia eNewsletters.