First, you do have a serious problem. It's called Brute-Forcing!
Second, the SSS has 15kb of extra JS code that needs to be downloaded. Yes, it could be compressed and it's cached, but it's still code that has nothing to do with the function of the site. That might be a small price to pay for the extra security though.
Your encryption/decryption algorithm works very well, as would any algorithm of that sort. Hey, if I really wanted to protect my site, I could write an RSA encryption/decryption algorithm, but it would still be just as vulnerable to the oldest trick in the book: patience.
Anyone clever enough to break "normal" obfuscation techniques could also write a brute-force-routine and simply wait for the password to expose itself by decrypting the site. Sure, it would take time, but what's inside is probably worth it if somebody put a big padlock on it.
Once the code has been decrypted with the correct key, it's easily accessible via the DOM.
What differs your algorithm from the other ways of hiding source is that it's using a real encryption algorithm (it depends on a key to generate the cipher-text), while the other methods rely on obfuscation or encoding, which either uses no key, or has the key stored with the cipher-text.
I personally think encrypting/obfuscating/encoding clientside code is pretty pointless. What's so important on a site that you'd need to hide the sources? Site layouts and design features can be ripped/recreated simply by looking at the pages. Script functionality can also be recreated, even if it takes a while longer than copying/pasting the original code.
Usually, people try to hide code on public pages that don't require any type of logging in. If you only allow certain people to visit your secure pages, I hope you trust them not to rip your code since you trust them not to make the password public. (Which also would mean you need to re-encrypt all your encrypted pages!)
I know you already know this, I'm just stating it "for the record"
Linear Mode
