Jonas Schnelli via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> schrieb am Di., 26. Juli 2016 um 22:10 Uhr:

Side-note: Bip39 does still use PBKDF2 with 2048 iterations which I
personally consider "not enough" to protect a serious amount of funds.

But what are the alternatives? Put an expensive processor and a decent amount of memory in every hardware wallet to support scrypt? Use a million iterations and just wait 10 minutes after entering you passphrase? Or compute the secret key on your online computer instead?

Also, how many iterations are secure? A million? Then just add two random lower-case letters to the end of your passphrase and you have a better protection with 2048 iterations. If you want to be able to use your passphrase with cheap hardware and be protected against a high-end computer with multiple GPUs that is almost a mllion times faster, then you have to choose a good passphrase. Or just make sure nobody steals your seed; it is not a brainwallet that is only protected by the passphrase after all.

Regards,

Jochen