Key stretching applies hash functions iteratively to make password hashing computationally expensive — slowing offline brute-force attacks dramatically.
Regular SHA-256: GPUs can compute billions/second. bcrypt/Argon2: deliberately slow (100ms+). Attacker's speed = 10,000 attempts/second vs. billions. Tune iteration count to maintain ~100ms hash time as hardware improves.