Salting and large iterations are no longer enough to protect stored hashed passwords. Using techniques and specialized processers developed for cryptocurrency mining, attackers have the cost/performance advantage to compute large numbers of hash values. Memory-hard hashing recommended by the 2017 NIST guidance on passwords lets traditional servers recover that advantage. Using hash methods like balloon and enlisting users in detecting credential attacks will protect your business for the future.