[koloboss12]

Great questions! I'll do my best to answer them:

1. You can decrypt only one password at once. It's stored in memory then. Rest of passwords remain encrypted and they are also stored in memory after being downloaded. It means that after webpage / PWA is being refreshed (or closed) you have no passwords (in any form) in the memory.

2. Passwords Fountain is using famously safe symmetric algorithm (AES-256). I think it would be hard use asymmetric approach in current architecture with staying user friendly in any way. Please note that there is no server between this app (interface) and Fauna (database) and I'm strongly against storing something needed to password decryption both in database (e.g. private key) and the browser. Becuase of that - you have to remember and protect your master key. Remember that you also have your dashboard after logging into FaunaDB account. You can verify database connections anytime you want.

3. MFA is quite serious feature and this would need also server code which I wanted to avoid as much as possible - it's making creating custom instance harder. Also - I suppose, I would have to force users to use an additional app for this purpose e.g. Google Authenticator (because I don't want to pay for any SMS service), which would make the regular usage strongly inconvenient.

4. Decryption key is stored in local variable (in memory) only for the moment it's really needed (from the moment after getting it from the user to putting it into decryption / encryption function). After this tiny time frame that aforementioned variable is getting back to its default value which is an empty string.

I hope you have now better understanding of how it works. If not - don't hesitate to ask additional questions ;)