If my password is catsanddogs, there is not much entropy in this password. If the connection was based off symmetric crypto from the get go, where the key was seeded from that password, you could capture some traffic and offline attack the key based off a weak user password.
The alternative is safer. You would have to brute force the login online.
I think you don't know what an IV is. The IV is not secret. Maybe that's where the confusion comes from?
The alternative is safer. You would have to brute force the login online.
I think you don't know what an IV is. The IV is not secret. Maybe that's where the confusion comes from?