BOB123 Majority websites on the internet don't need to encrypt passwords beforehand using javascript because it will store your password as the hash LOL and if the server SQL gets dumped the encrypted hash is your password LOOL.
We are not talking about standard web applications.
We are talking about a web wallet.
The whole sense of a web wallet should be that everything will be handled client-side (key generation and encryption) and then uploaded to the server.
This obviously is NOT the case here.
And that is the point here.
sendbit is claiming to not have access to the private keys. However they also admit that they have the encrypted file AND the password to decrypt it. That's the point.
Take a look at blockchain.com.
As much as i dislike web wallet, they are at least doing everything (kind of) right. Key generation and encryption is done client sided. Transaction signing is as well done client-side. The server actually never can access the private key. This is NOT the case with sendbit.io, even tho they claim otherwise.
And i am not even going to talk about open vs closed source now.
All password hashing encryption is now generated on the client-side, you can check our headers are secured using bcrypt cost 12 example below