Good on you for having a list of known weaknesses, but here's the one that really makes this completely unsafe:<p>The server dictates what's run on the page, and thus can access the plaintext data in any way it sees fit. The trust model is fundamentally broken in client-side crypto of this nature.<p>Edit with two more thoughts: 1) Even if you trust the person running the service, how much do you trust the other users (who may be using stored XSS to compromise your data)? How much do you trust the hosting service behind it, if there is one? 2) Am I the only one that finds it massively irresponsible to not have a huge flashing "DO NOT TRUST THIS UNTIL IT'S BATTLE HARDENED" sign over it? This goes for just about every project of this nature.<p>Edit with a final thought: Most of the time, we think in terms of "relative goodness". A good car is better than a bad car, but a bad car is still better than no car at all. This logic <i>completely breaks</i> when it comes to crypto. Simply put, bad crypto (and bad implementations) when released on the world put lives at risk. This should be taken seriously.<p>It's one thing to build a project for learning (and please, please do!) but cover every friggin' surface you can with disclaimers.
This is neat, and the I really like the UI too.<p>I made something similar (except the one-time view part) not too long ago just to experiment with storing the base64 encoded message into the URL. It also has an option to add a key, which uses a javascript implementation of blowfish.<p><a href="http://alfg.co/jot" rel="nofollow">http://alfg.co/jot</a><p><a href="https://github.com/alfg/jot" rel="nofollow">https://github.com/alfg/jot</a><p>Since the message is stored within the URL, there's no backend needed, though that means the message needs to be short since most modern browsers can only support up to about 2000 characters in the URL and the messages can generate a long base64 string rather quickly.
Also see: <a href="https://oneshar.es" rel="nofollow">https://oneshar.es</a><p>I created a similar web application in Django as part of a College minor project last year. Best part was implementing the AES algorithm ourselves. :D
Why is the password stored in plain text "for now"? What is so hard about running bcrypt or pbkdf2 against the password before storing it in the database?