Secret salts; why do they slow down attacker more than they do me?

This would probably be explained in the auditory lecture that these slides accompany.

My guess is that he's calculating this assuming that users generally enter their correct passwords. You only need to cycle through options for r until you find one that produces a correct hash.

If you've been given the correct password, then you will come across an r that produces a correct hash; when exactly this happens will vary (since it's random), but on average you'll go through half the total options (2**8 = 256, 256/2 = 128) before finding it.

However, the attacker will usually be trying incorrect passwords. This means they'll have to try every single option of r, which is the full 256.


Just to add something more to Xiong's answer:

In case of a database compromise an attacker will try to recover all the passwords (Or at least the most interesting ones), meaning he needs to try each candidate password with each possible "secret salt", which is quite expensive

Meanwhile the server just needs to iterate through the possible "secret salt" with the password entered by the user. Not only the password is likely to be correct, also it's only one for each user login in