Wand
Wand is used to store passwords so that users don't have to enter them
manually whenever a site asks for username and password. It's highly
dependant on a UI for it's job, but the core module contains storage
code and interaction with document and forms.
Security
The wand code contains sensitive data and therefore we either encrypt
it or obscurify it but since it's data that must exist on a web page
during a submit, it's not top secret. The easiest way to extract a
forgotten password is to initiate a submit but abort it before the
page has loaded. Then use a javascript url (or bookmarklet) to output
the contents of password fields.
Future improvements
Storing a possword shouldn't block the page load. This way we ask
people to store data before the server has verified that the data was
correct.