Im referring to obscuring the way that you hash. I'm not at all suggesting abondoning the usual salt techniques. What I am saying, is that if I have a nice cluster set up, and I have accessed your users table, along with the way the you hash your passwords, I AM GOING TO BRUTE FORCE IT. All of them.
Sure, felgall, brute forcing over a network can be stopped. Everyone knows that.
Jeff, I've gone down this road with you before I'm afraid. Iterations of a key will not help out if I know how you created your hash (how many iterations and when and how you implemented your salt).
As a hacker who has downloaded a nice hunk of usernames and hashed passwords, I will set them up in an indexed table (index on the hashed value), ensure that they are stored in memory, and then begin a concurrent brute force, each hash will check to see if it exists in the table, and on match, spit out the password used and the username that went with it to a results table.
I'm sorry guys but my point with this thread is there is no countering computing power with computing power with how quickly concurrent computing is coming along. Hand me a table of users, unqiuely salted or not, and how the hash was built and I'll show you an example on EC2.
My point here folks is that we should start looking at ways to hide the way in which we hashed our passwords.