The short answer is that it doesn't matter because if you live in a fantasy land where users never re-use passwords, always have passwords with sufficient entropy, or you never lose control of your data, doing key-stretching is not necessary or helpful.
The long answer is that security experts are expensive and trying to figure out security systems from first principles is very hard and fraught with disaster. The result is that almost all security practices are transmitted via folklore.
Also, the documentation for security software is often dense and hard to understand, while the documentation for non-security software provides advice that is simple, actionable, and terrible: http://dev.mysql.com/doc/refman/5.7/en/encryption-functions....
* The undocumented-algorithm PASSWORD() function that mysql uses to hash passwords apparently defaults to unsalted double-SHA1
* You are helpfully advised not to use this function to store user passwords, instead you're advised to use MD5 or SHA2.
* Salting is not discussed at all.
* Key stretching functions are not provided or discussed.
The long answer is that security experts are expensive and trying to figure out security systems from first principles is very hard and fraught with disaster. The result is that almost all security practices are transmitted via folklore.
Also, the documentation for security software is often dense and hard to understand, while the documentation for non-security software provides advice that is simple, actionable, and terrible: http://dev.mysql.com/doc/refman/5.7/en/encryption-functions....
* The undocumented-algorithm PASSWORD() function that mysql uses to hash passwords apparently defaults to unsalted double-SHA1
* You are helpfully advised not to use this function to store user passwords, instead you're advised to use MD5 or SHA2.
* Salting is not discussed at all.
* Key stretching functions are not provided or discussed.