[vvSaKvv]

Not quite understand question. If you asking how do handle secret phrase, its used to decrypt user object, that comes from server when you login

[read]

I just realized I asked you the same question before.

If the server got hacked, could it send Javascript that steals a users password (which you say "never leaves your computer"), decrypts user data, and sends the password and the data to the attacker?