the bigger point is that there is a limit to how slow you can make the password checking process. Ok, so let us assume you securely authenticate once per session. How long can that authentication take? I suppose you can put up a little clock... make it take a second and we are talking 11 hours per password, which is starting to get significant... but my point is that the small search space provided by user chosen passwords means that if you make the hash function slow enough to stop an attacker, you are moving into time spaces that users will notice.