It seems like focussing on the speed of cracking a password misses a more important point: in real work systems we can control the number or speed of logins. The way that's typically implemented is to only allow N wrong logins and then logging the user out. A better alternative in my opinion is simply to double the time between logins, making brute force attacks much slower. Of course, that creates the possibility of a DOS attack to prevent a particular user from logging in (presuming you know the userid). There probably are good application-specific solutions there (e.g. registering the account to a specific IP or IP block, with a registration process if static IPs can't be guaranteed) and nothing beats having a good sys admin with proper network monitoring tools.