Comment Meaningless. (Score 1) 538
When applying a hash+salt to a password to store in a database, you run it a bunch of times to take up an attacker's cpu time. By picking the number of repeated hashes, processing a password->hash attempt can be made to take any amount of cpu power. When designing a system, one attempts to choose a value such that, with current systems, it takes a reasonable amount of time to process a login but also too long for an attacker to brute force.
TFA talks a lot about the 'number of possible combinations', but in reality that is not strictly relevant.
What matters here is only how much more cpu power is available to attackers than to the site owner. This ratio is what determines the number of 'combinations' required to defend against attack by someone who steals the database. So, if attackers start using hardware to run hash algorithms, sites can as well, and the same balance would be maintained.