You're right that a rug is permanent that's nostr, no reset button.
Brute force isn't how it happens with this design. the password and 2fa secret fuse into a single scrypt passphrase, so cracking one factor gives no feedback and no partial win. The secret alone is 160 bits, which makes offline attacks on the public blob infeasible outright, weak password or not.
The honest risk is phishing both factors at login time. That's worth worrying about.
Login to reply
Replies (1)
Scrypt passphrase or not, 160 bits is child's play for NSA computers, courtesy of Bill Gates' backdoors.