Jonas Schnelli via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
schrieb am Di., 26. Juli 2016 um 22:10 Uhr:

> Side-note: Bip39 does still use PBKDF2 with 2048 iterations which I
> personally consider "not enough" to protect a serious amount of funds.
>
>
But what are the alternatives?  Put an expensive processor and a decent
amount of memory in every hardware wallet to support scrypt?  Use a million
iterations and just wait 10 minutes after entering you passphrase?  Or
compute the secret key on your online computer instead?

Also, how many iterations are secure?  A million?  Then just add two random
lower-case letters to the end of your passphrase and you have a better
protection with 2048 iterations. If you want to be able to use your
passphrase with cheap hardware and be protected against a high-end computer
with multiple GPUs that is almost a mllion times faster, then you have to
choose a good passphrase.  Or just make sure nobody steals your seed; it is
not a brainwallet that is only protected by the passphrase after all.

Regards,
  Jochen