Let’s assume I must store user’s sensitive data, which was optionally encrypted on the client side.

• Encryption (optional) should be done with user’s passphrase.
• User login (optional) should be done with user’s password.

Notes:
A plain-text password is not stored on the server or transferred over the network.

My options and their drawbacks:

1. No authentication, Client-side authorization:
The server gives the data to everyone, but only the original user have the means to decode.
Data can be used by anyone to try to crack the encryption – not the best way to secure it.

2. Server-side authentication, no authorization:
Server stores user’s password to access the data, and only gives the data to the user that can provide the right password.
Users don’t trust the network for transferring their data without encryption.

3. Authentication and authorization:
Server stores user’s password to access the encrypted data, the encryption is done using the passphrase that is different from user’s password.
Good security, but users don’t want to remember two passwords.

4. Authentication vs. Authorization:
Server stores user’s password to access the encrypted data, the encryption is done using the same password.
Users are happy. Some security concerns.

I prefer the latest fourth option, but my concern is:
What if the server will get compromised, how can I be sure that encrypted password and encrypted data can’t be used together to break the encryption?
How can I make it harder to break the encryption?

Some thoughts:

• Use different encryption algorithms for password and data.
• Add fixed string to the end of the user’s password before encryption.
• Pad user’s password to some length.

EDIT:

The system should be very similar to a backup system that should be secure from all sides: the server should not be able to read the data, only the original client should be able to access the data and man in the middle attacks should be prevented. So if someone hacks the server authentication or the client encryption, the data should not be revealed.

It should be web based, so the man in the middle attack should be prevented with HTTPS.

To prevent server hacks revealing the data, the data is encrypted in client-side.

To prevent client encryption tampering, the access to the data should be protected on the server side with some log in and password or a token (may be unique URL).