I'll admit "100% insecure" is perhaps a bit hyperbolic, but they are insecure from the standpoint that any other script executing on the page can examine the contents of either localStorage or sessionStorage and then try to perform a brute force attack.