This has been said hundreds of times, and shall be said again. Blockchain.info does NOT have access to your unencrypted private keys, it's not an online wallet since a thief can't hack their database and steal loads of passwords. The only way you would lose them on Blockchain would be to login while a hacker implemented some malicious javascript, but I still think that's yet to happen..
bc.i is an online wallet because it serves up an encrypted copy of your wallet to anyone who knows the wallet identifier. It also stores the encrypted wallet on its servers thereby making it available to its employees as well as the datacenter staff.
The other thing is that it uses javascript to generate the random numbers for the wallet and also for the transaction signing. This has caused problems before.
Some ways in which people have lost money on bc.i wallets:
- RNG bug caused random numbers to be reused which made it possible to calculate the private key behind an address.
- Hacked because the user used a simple password and the wallet was bruteforced. This would be much harder on a desktop client because you first have to get access to the encrypted wallet file.
Exactly. Not matter how diligent website programmers are, your coins are *always* safer offline