Short version of the question: what if we encrypt or decrypt by running SHA-256 one million times repeatedly, beginning with the initial "phrase" or "object", so that the operation can take 1 second, won't take prevent hacker's brute-force attempts?
Details:
If the system has an encrypt and decrypt system that would first SHA-256 "abcde" first, and then SHA-256 on that result, for 1 million times, to see if the result matches with the stored encrypted-one-million-time token, then the hacker can try the system beginning with "aaaa" but not practical to try it until "zzzz", even if the password is just 4 characters long (such as a password for the PC or Mac).
I think one way hackers try to hack into a computer or system is that they just try most popular passwords or just passwords starting with a to z, aa to zz, ..., aaaa to zzzz.
So then, if the crypto function is designed to take at least 1 second to finish, won't that stop that brute-force attempt?
Otherwise, the hacker can try 500,000 possibility per second, and it doesn't take much effort. Some system actually stops for 1 second between attempt (such as Unix login prompt), but it doesn't stop it if it is not through some UI interface for that 1 second delay.
