I was thinking your password is your decryption key so that even if the place is hacked the service provider could never decrypt your nsec