diff --git a/ch05.asciidoc b/ch05.asciidoc
index f519785a..552d3a7b 100644
--- a/ch05.asciidoc
+++ b/ch05.asciidoc
@@ -716,11 +716,21 @@ image::images/mbc2_0507.png["From mnemonic to seed"]
 
 [TIP]
 ====
-The key-stretching function, with its 2048 rounds of hashing, is a very
-effective protection against brute-force attacks against the mnemonic or
-the passphrase. It makes it extremely costly (in computation) to try
-more than a few thousand passphrase and mnemonic combinations, while the
-number of possible derived seeds is vast (2^512^).
+The key-stretching function, with its 2048 rounds of hashing, makes it
+slightly harder to brute-force attack the recovery code using software.
+Special-purpose hardware is not significantly affected.  For an attacker
+who needs to guess a user's entire recovery code, the length of the code
+(128 bits at a minimum) provides more than sufficient security.  But for
+cases where an attacker might learn a small part of the user's code,
+key-stretching adds some security by slowing down how fast an attacker
+can check different recovery code combinations.  BIP39's parameters were
+considered weak by modern standards even when it was first published
+almost a decade ago, although that's likely a consequence of being
+design for compatibility with hardware signing devices with low-powered
+CPUs.  Some alternatives to BIP39 use stronger key-stretching
+parameters, such as Aezeed's 32,768 rounds of hashing using the more
+complex Scrypt algorithm, although they may not be as convenient to run
+on hardware signing devices.
 ====
 
 Tables pass:[<a data-type="xref" href="#mnemonic_128_no_pass"