;
> Nothing is stored so there’s nothing to steal.
Nothing is stored, but it's public knowledge. In a traditional password store, there are two levels of security: limited access to the encrypted passwords, and encryption itself. With their approach, there is only one level: encryption.
The counterpoint would be this:
> There are thousands of iterations of Scrypt, making brute-forcing infeasible.
But this is trivial to do with a conventional password store.
As you said, password expiration is in contradiction with the last point:
> No need to sync data, as there’s nothing to sync! You can use this script or our API (coming soon) from anywhere in the world, and from any device, to generate your passwords.