You type your secret, password, and settings, and press submit.
Your browser locally encrypts the secret with the password, generating a ciphertext (C), and locally produces a hash (H) of the password with SHA-256.
C and H are sent to the server.
The server encrypts C with a secret key, producing a new ciphertext (C2), and produces a new hash (H2) of H with bcrypt.
C2 and H2 are stored in the database with the three-word id.
Reading a secret
You enter the URL with the three-word-locator.
The server checks if the settings (number of reads, start date, and end date) are valid, and returns that status to the browser.
You type in your password and press "Fetch Secret".
Your browser produces the hash (H) of your password with SHA-256, and sends it to the server.
The server compares H with H2 using bcrypt. If there's a mismatch, it returns an error code. If they match, the server decrypts C2 using its secret key, and returns C to the browser.
The browser decrypts C with the typed password, revealing the secret.
What happens if there's a data breach?
Your secret cannot be accessed without both the server password and your own password (if you set one).
An attacker brute-forcing common passwords through the breach would not be able to get access to the secrets as long as the server password is secure, since the database stores the result of encryption with both passwords.
As long as you secure your password and it is not common, your secret cannot be accessed, even if the entire server were compromised.