When logging into the webvault, or any of the apps/extensions, one must supply an email address and a master password.
The email address is checked on the client side to ensure that it has exactly one @ sign before it can be submitted. The Master Password is never submitted (a hash is instead).
If one were to create a master password containing a single @, it would be possible to inadvertently paste it into the username field, resulting it it being exposed to adversaries-in-the-middle and potentially stored in server log files.
To prevent this (admittedly minor) risk, disallow the creation of master passwords that look like an email address (i.e. contain exactly one @ sign).