Password stretching - a way to mitigate CPU flood

Question

I\'m now using password stretching for all user account passwords throughout all my websites. In the db I store an iteration count and randomly assigned salt along with the

Answer 1

The idea of password stretching is to have the attacker do the heavy work:

When a client wants to log in, the server presents a challenge. The client performs the resource-intensive calculations and sends a response to the server. The server should be able to determine whether the response is valid or not with very few resources.

Because it's the client that's doing the heavy work and the client requires a new challenge for each attempt to log in, brute-forcing all possible password combinations becomes (hopefully) too expensive for an attacker.

Have a look at the Salted Challenge Response Authentication Mechanism (SCRAM).