Adding four randomly generated characters a-z to your password adds a factor of 456976x to the bruteforce time required.
A password that is derived in 1 millisecond with these characters appended takes longer to crack than a password that is derived in 7 minutes without those characters appended.
"setting the key derivation parameters to take as long as you can tolerate" gives a false sense of security. Because it's taking a minute to log in it must be secure, right? In reality just making your password slightly stronger is far more effective security-wise.
A password that is derived in 1 millisecond with these characters appended takes longer to crack than a password that is derived in 7 minutes without those characters appended.
"setting the key derivation parameters to take as long as you can tolerate" gives a false sense of security. Because it's taking a minute to log in it must be secure, right? In reality just making your password slightly stronger is far more effective security-wise.