Why on earth would you want to derive the mnemonic from the wallet seed? Ever?

Remembering that as an attacker doesn't actually have to do any key stretching, they can just keep trying (what is it 64 bytes from memory?) at a time without any PBKDF2 to attack a seed, it seems that the PBKDF2 is just to slow down anyone attempting to attack through an interface such as a web service or to a TREZOR or whatever, in a real world attack you would not even be performing PBKDF2 you would just brute force the raw bytes and force them into the BIP32 wallet as there is no Authentication scheme that hashes and compares against the result. It purely limits abuse through an online wallet provider or something like that by slowing down seed generation attempts THROUGH that API, it doesn't really add any security to the seed in a real world brute force attack! So yea I think the 2048 iteration count is sufficient for it's purpose because even if it only forces an extra 1ms per seed generation through the API, it is still slower than just brute forcing the 64 bytes straight up, and so they would have no reason to abuse your API that is all :)

"meh... the fact that you can't derive the seed phrase from the wallet seed, and that the password key stretching is so weak as to be ineffectual security theater bugs me. Feels like a pretty big compromise to work on current generation low power embedded devices when the next generation will be more than capable. But I understand the motivation for the compromise.

Aaron Voisine
co-founder and CEO
breadwallet.com"