extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2
18 and r=8 is also a good setting for this purpose
https://tools.ietf.org/html/rfc7914#section-2Am I understanding this correctly? You are saying that using scrypt with N=2
18 and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?
it is about at what layer this is being used.
* if scrypt is used to generate the mnemonic from a passphrase as it is with WarpWallet and brain wallets, it is a bad idea because even if it is a memory expensive KDF it still doesn't solve the problem of people using simple passwords and the attacker does NOT have to have access to anything to steal their coins. all they have to do is to iterate over most common words and rob them. look at this:
https://bitcointalk.org/index.php?topic=4768828.0 it obviously will take a lot longer than SHA256 but it will not be impossible. if there is incentive, they will do it.
* but if it is used only for the encryption step, the attacker first has to gain physical access to your paper wallet for example and then attempt brute forcing that. so in this case scrypt is only used as one of the many security layers you are putting in place.