What's wrong with PBKDF2 As commonly used with HMAC-SHA-* No parallelism - slows down defender, but not attacker When implemented on modern CPUs for defensive use, only a relatively small portion of resources available in one CPU core is used (can't use SIMD, low instructions per cycle) Almost no memory needs - defender's RAM is not put to use, attacker does not need to provide RAM GPU friendly More so with SHA-1 than with SHA-512, though SHA-512 uses 64-bit words, which helps CPUs and hurts current GPUs