[tptacek]

If the observation made here was "this guy got unrealistically impressive results because he was able to parallelize across every password hash", I'd agree.

But the observation was instead "this attack worked largely because the passwords weren't salted". No, false. This attack set a price of $1.62 per password using the simplest available GPU cluster resource. In no definition of cryptographic security is $1.62 a reasonable threshold.

Scrypt, bcrypt, or PBKDF2 can increase that cost factor to many tens of thousands of dollars per password without incurring appreciable costs to the applications using it.