They can simply use multi-iteration like one million times to achieve the same effects. It will put much load on the server, however, they should be able to find a best trade off.
Not really - multi-iteration salting doesn't scale with Moore's law. When faster CPUs/GPUs come out next year you would have to keep increasing the number of salting iterations. All of these salting iterations are hand-coded as well, making it tremendously tedious to keep updating.
Normal hash functions like MDA5, SHA-1, SHA-256 are designed to be incredibly fast. We don't want figuring out passwords to be this fast, so bcrypt is a perfect algorithm because it was designed to have a work factor so that it can be made slower.
I would much rather have to wait 100ms to login to a secure BTC exchange rather than have my password brute-forced by a GPU cracker in just a few seconds.
