Nice. Did you measure the performance of scrypt.js? The PBKDF2 implementation in Python and both Chrome/Firefox are similar for me and the Python documentation states something like 3x slower that the OpenSSL implementation . So it sounds pretty usable to strengthen the password while still being usable.
Thanks! I didn't, but maybe I should have. I thought the API of scrypt.js would work well and don't think I came across anything better. I also figure scrypt is plainly better than PBKDF2; being designed from ground up for key lengthening and offering memory hardness. I figure bitcoin ASICs might be repurpose-able to attack PBKDF2; though I'm not sure if that's a threat, and I imagine it mostly somewhat applies to scrypt anyway because of litecoin and friends. If I were more worried I would have researched the default parameters more, I think this is 128- vs 256-bit territory.
I just glanced through it again, and it seems to me that aside from styling, every section of code fulfills an important purpose. But it could definitely benefit from being more broken out into components and library-like, so that the only code surfaced in index.html is the UI code.
It took way too long on my laptop (i5-6200U).
With a decent random password (say, 14 letters), the search space will be very large.
If a determined attacker (with a couple of GPUs) can attempt 100.000 passwords per second it will still be impossible to crack in an acceptable time.
If we assume that this determined attacker is calculating these hashes 100.000 faster than the average browser, it should be enough if the user has to wait for one second, not one minute.
On the other hand everyone has different security requirements so perhaps making it configurable is the best way to go proceed (with some recommendations).
Indeed. The project motivation is even similar to mine (bootstrap yourself in case everything gets lost). I guess the main difference between the two is that I tried to make the generated HTML minimal so it's easier to verify before entering a password.