Tarsnap does not allow anyone who has your public key to attempt to crack your paraphrase. Minilock does, and in fact you can load all public keys into a bloom filter and crack them simultaniously with nearly the same speed as a single key. The design of this system is simply irresponsible. Saying people will be fucked is entirely appropriate here.
Hmm, I meant Scrypt. You can use Scrypt to encrypt files using a passphrase with no entropy restrictions. It doesn't use keys. People never raised this concern about Scrypt, and certainly didn't say people would get fucked for using it. What am I missing here? Why does Minilock warrant this outrage, but not Scrypt?
That tool generates a random salt, so passphrase cracking time is O(n) where n is the number of files being cracked vs O(1) for Minilock public keys. Additionally, encrypted files are generally still not "public", whereas Minilock public keys likely would be.
Assuming that all files are encrypted with the same passphrase, and you crack the passphrase, not the key generated from kdf(salt, passphrase), complexity is O(1) for Minilock as well.
