Password stretching - a way to mitigate CPU flood

Question

I\'m now using password stretching for all user account passwords throughout all my websites. In the db I store an iteration count and randomly assigned salt along with the

Answer 1

I think that applying SHA512 any more than once doesn't have any additional value.

Do you have the following authentication workflow:

1. User enters username and password on the web form and sends it to the server either plain-text or over SSL;
2. Server calculates the proper hash/salted hash/whatever to compare with the one stored in the database;
3. Server compares the hash computed with the one stored in the database.

If so, then the hashing doesn't have much sense because potential attacker won't be able to send the straight hash anyway. In this case not hashing makes your system more secure but rather delay before server responds to the request -- which can be accomplished with the much cheaper Thread.Sleep(1000) technique...