Mary designs and develops tools for Sequoia Capital.
thanks for voting! technically it does a sha1>hmac>pbkdf2 to generate a long key from a string. the string is a join of your master password, your username, website, and version. the output key is a long array of integers that I use to populate your site specific password (following some configurable constraints).
the punchline is passwords are derived on the client side based on client side data and the only thing that goes to the server is a list of your usernames and websites.
That's a bug we didn't notice in time before the working stopped. Timeline was one of the features we managed to make "working" just few minutes before the end but we failed to test it properly.