The reports I've seen have been that the password hashes were crypt(3) hashed; I've literally seen reports of people checking their hashes with crypt(3) to verify that they lost their real password.

That being the case, it feels reasonable to respond to your argument about "no evidence of brute-force cracked passwords" by saying that the tool that brute forces these passwords has been open sourced since NINETEEN NINETY. I was in 8th grade when the tool that breaks these passwords was published. "Love Will Never Do Without You" by Janet Jackson was a hit single.

I think --- it's hard to prove, since you'd have to get into a long involved conversation about how easy things are to parallelize in CUDA or FPGAs --- that the scheme you've provided is actually faster than that: like, De La Soul or Run-DMC easy instead of Janet easy.

>To compare this to the incredible magnitude of computation required to do that for a truly distinct per-row large entropy salt is extraordinary.

But the salt is based off a static, known set of data per user: username and domain. The salt is known, even though it isn't stored.

So run `shasum (salt + "password")`, or however they mangle it. It's precisely the same thing. There can't be a more-complex salt, because all browsers have to replicate it, or you could only use your login info from a single browser - lose that, and you lose your account.