[PufPufPuf]

If your password leaks from a single service, and I somehow know that you use this tool, I could then try all the combinations of the secret key until the service produces the same password as the one leaked. Now I have your secret key, and can derive your other passwords.

Notice how traditional password managers don't have this problem at all. If a password leaks, it tells you absolutely nothing about the other passwords.

[shudza]

Yes but if I use a proper secret key, you won't be able to brute force it. You can't brute force anything 20+ chars in a billion years (inaccurate approximation)

[NayamAmarshe]

That would still be very difficult I believe. The algorithm is CPU and Memory intensive because I'm using scrypt internally.