I wrote a “Password Locker” C# app a while ago as an exercise in encryption. I’d like to move the data to the web so that I can access it anywhere without compromising my password data. I’d just like to run my ideas by the community to ensure I’m not making a mistake as I’m not an encryption expert.

Here’s what I envision:

1. In the C# app all the password data is encrypted as a single chunk of text using a user supplied password. I’m using Rijndael (symmetric encryption) in CBC mode. The password is salted using a hard coded value.
2. Encrypted data gets sent to my database
3. I go to a web page on my server and download the encrypted text. Using client side javascript I input my password. The javascript will decrypt everything (still client side)

Here are my assumptions:

• I assume that all transmissions can be intercepted
• I assume that the javascript (which contains the decryption algo, and hard coded salt) can be intercepted (since it’s really just on the web)
• The password cannot be intercepted (since it’s only input client side)
• The result is that someone snooping could have everything except the password.

So, based on those assumptions: Is my data safe? I realize that my data is only as safe as the strength of my password… Is there something I can do to improve that? Is Rijndael decryption slow enough to prevent brute force attacks?

I thought about using a random salt value, but that would still need to be transmitted and because of that, it doesn’t seem like it would be any safer. My preference is to not store the password in any form (hashed or otherwise) on the web.

Edit:
I am considering using SSL, so my “interception” assumptions may not be valid in that case.

Edit 2:
Based on comments from Joachim Isaksson, I will be running with SSL. Please continue breaking apart my assumptions!

Edit 3:
Based on comments from Nemo I will use salt on a per user basis. Also, I’m using PBKDF2 to derive a key based on passwords, so this is where I’ll get my “slowness” to resist brute force attacks.