Good points! Just to highlight the difference though, deliberately slow hashing algorithms are your last line of defense when an attacker already has your database! It's not meant as a GUI brute force prevention replacement where you should indeed just tell the user to fuck off after n failed trials.