With a weak password, step 2 is redundant, even with more than the recommended rounds of bcrypt/scrypt, if your password is "123456" it's getting cracked.
verify(candidate, storedEntry) has to run in a time reasonable for a web service to handle, which means that 123456 is still going to get tried against all the accounts in a reasonable time.
verify(candidate, storedEntry) has to run in a time reasonable for a web service to handle, which means that 123456 is still going to get tried against all the accounts in a reasonable time.