In case one not digging into the source code, the key stretching here is PBKDF2-HMAC-SHA512 with 400,000 iterations (OWASP recommended 210,000).
The reason for not using Argon2 or scrypt is because PBKDF2 is native provide by Webcrypto yet FIPS-140 compliance.
What rubbish is this?
Does the author not understand entropy or probability?
Deriving an RSA key from the product of two memorizable numbers makes it brute-force-able, and sends us back to 1990s export controlled encryption strength.
Tattoo-ing a key on one’s arm (however ridiculous) would be better than the methods here.