umailedit (3/19/2013)
Not so many with SHA-1 or one of the SHA-2 family with 100 rounds, either. You're not arguing for encryption vs. hashing, you're arguing for enough rounds to take more time vs. not enough rounds (say, 1).
I am arguing for one way encryption rather than hashing. Hashing functions are ridiculously fast. even with a hundred rounds you can try 10000 passwords per second as shown by the following sample php I wrote for you.
Then run 100,000,000 rounds; the actual number is completely irrelevant. Run as many rounds of whatever you choose as you need to in order to meet your requirements. N rounds is still at least N times slower than 1 round.
If you really want to make it take longer to crack your passwords, do as many rounds as you can on hardware as close to the optimum cracking hardware as is practical - if that's GPU's, then ideally use GPU's (or NVIDIA Tesla cards - not as fast as the fastest consumer GPU's, but warrantied for a production duty cycle, which is important - and major server manufacturers will put them under the same mission critical warranty as the rest of the server). If you need CPU's with AES-NI instructions, then make sure you're using such.