On Mar 12, 2014, at 01:24 PM, Pavol Rusnak <stick@gk2.sk> wrote:

On 03/12/2014 09:10 PM, William Yager wrote:
implement this is to allow semi-trusted devices (like desktop PCs) to do
all the "heavy lifting". The way the spec is defined, it is easy to have a
more powerful device do all the tough key stretching work without
significantly compromising the security of the wallet.

By disclosing "preH" to compromised computer (between steps 4 and 5) you
make further steps 5-9 quite less important.
 
Agreed, this is a valid concern. This could possibly allow a 3rd party to crack the password, but then again, they would not gain access to any key material. So yes, you could expose your password, but your key would still be safe.

If people feel strongly about this vulnerability, we can revisit step 4 and adjust it to make password recovery more expensive.

jp