I can only think of two things, and they're manageable.
One, slightly longer password checks. And two, the temptation to lean on the AES key and set the cost of the hash too low. In the case the key does get out - we had an entire era where people stole environment variables from servers - then you decrypt the entire password file once and have cheaper guesses per second.
One, slightly longer password checks. And two, the temptation to lean on the AES key and set the cost of the hash too low. In the case the key does get out - we had an entire era where people stole environment variables from servers - then you decrypt the entire password file once and have cheaper guesses per second.