When I enter a wrong password for a VeraCrypt archive, the delay to be able to try again is MUCH longer than it is with Cryptomator. Isn’t this far more secure versus brute force attacks? Why doesn’t Cryptomator do the same? Doesn’t hurt legitimate users since they will have the right password on the first try.
Feature request: learn from VeraCrypt in this regard and significantly increase the delay when a wrong password is tried.
There is nothing to learn here. A real attacker would certainly not use the password field of the Cryptomator app, but would use a small script (GitHub - cryptomator/cracker: Brute Force Tool for masterkey.cryptomator Files) to guess the password.
And no, with this tool the password is not easily guessed, see How Cruptomator is protected from Brute force attacks? - #2 by infeo
AFAIK, the time it takes VeraCrypt to login is primarily due to the very large number of key derivation function iterations done by default; thus, it takes longer for both correct and incorrect passwords.
One could argue that setting the number of iterations used in Cryptomator for a given vault would be a useful feature that might even increase security, or the perception of security, but one of the nice things about Cryptomator vs. VeraCrypt (I use both) is how there aren’t so many parameters to remember in order to get a vault open.