I commented about LessPass, and I think it applies here too. In summary, you still need to run MasterPass to retrieve their passwords, not here.

Security-wise, my construction might be slightly less secure, but you can recover the same level of security with a slightly longer passphrase (and, unless I misread their code, they also use a deterministic salt in scrypt, which is a debatable choice).

As I said about LessPass, it would be great to hear from the author(s) what they think.

Forging the Everdragons2 NFT. Former security at Pinterest.

Forging the Everdragons2 NFT. Former security at Pinterest.