This is exactly why Armory uses a scrypt-like algorithm for its wallet encryption. It does the 100,000 hashes of the passphrase, but requires them to all be stored in RAM at once, so you can do 100,000 table-lookups on it to get the final result. This makes GPU-acceleration pretty useless for an attacker (GPU threads usually only have a tiny amount of fast memory, not megabytes). That's why the Armory website advertises "GPU-resistant wallet encryption". (for reference, it's called the ROMix algorithm -- found in the same paper as scrypt, it's just that ROMix is much simpler despite being much less flexible about compute-memory tradeoff)
On the other hand, if you forget your password, you likely remember enough of it that you may only require a few weeks of single-threaded processing to find it.
Sorry, but on the Armory it said the wallet is encrypted with AES256, why is that?
It is encrypted with AES256. There's two distinct steps to unlocking your wallet:
- (1) Convert your password to an encryption key
- (2) Use the key to encrypt your wallet with AES256
Passphrase --> 32-byte AES256 key --> Encrypt Wallet
The encryption key is a full 32-bytes of data, which would be impossible to guess. But your password/passphrase is much less than that. So an attacker doesn't need to guess the encryption key if they guess your password -- so they just need to guess a bunch of passwords, run them through (1), and then check if it's correct.
Bitcoin-Qt and Armory both do this, they just use a different step-1: X,000 sequential hashes, forcing the attacker to spend a full 0.1-0.25 seconds to check whether they got your password correct. The difference is that the key-stretching used in Bitcoin-Qt only requires compute-time. It only requires a few dozen bytes of fast-access memory to convert your passphrase to an encryption key, it just requires
a lot of hashes. Because of this, is very parallelizable -- an attacker with a bunch of GPUs having 2,000 threads each can get 100-1000x speedup compared to only using their CPU.
But Armory key-stretching (and scrypt-based algorithms) requires each thread to have access to
megabytes of fast-access RAM. Thus, you might not be able to put it on a GPU at all, or you would only be able to run 10 of those 2,000 threads at once. In that case, you might as well just use a CPU.