The default settings seem to be at fault here, not the implementation it self.
> This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993
The fix: https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a...
