Hmm, glad I saw this by chance. At first I was wondering why it was in a new topic, but then I saw OP is a newbie.
I feel bad if anyone took my word on this, as it looks like I was wrong.
I'll be editing that post. From what I can tell looking at
this code, the encrypted blob is indeed fetched with a key that is a hash of the username and password combined.
The good news about me being wrong is that your wallet held in the default blob vault is somewhat more secure than I said, as it can't be cracked offline unless the attacker already has the encrypted blob. But know that if you don't trust the blob vault provider (I think this is where some of you are going with what sounds like suspicions), they can attempt crack your blob offline like I said. Or if they get breached the hash protection could be circumvented. In any case, a strong passphrase and probably unique username is always a good idea.
I believe you can also set up your own blob vault and use it with the default client, if you don't trust someone else to not pry into yours and secure it properly from others.