Richard Tookey wrote:Of course if the password has low entropy then it will not matter which method is used to derive the key.
You're right. One really needs to stop the users from using a password, as they don't have enough entropy. We have to move to phase phrases or tools like OnePass.
Even recent studies show that "password" and "asdfgh" are the most popular entries.