How is this a different problem?

Yes, PoW is trying to find near collisions, and password cracking is trying to find direct collisions, but its collisions still the same. What is important here is 'hashrate' which gives you bounds on time to crack your dataset (or find a near collision).

The very fact that it's near collisions vs direct collision. You're correct that having dedicated ASIC's does increase the hash-rate, and thus could lower the time-bounds. But the dedicated ASIC's are only really expanding the I/O interface to get more data in/out, and due to this have a much higher cost.

The PoW system adjusts the difficulty based on the current distributed hash-rate, so an individual(or pool) is operating in a percent range of the total hash-rate.

To analogize the two, properly, you'd have to set the PoW system to the highest difficulty, and keep it there for every individual password you want to check.

Also the scrypt currencies have a fixed memory bound, AFAIK. While use in password cases, "could be" modified in the middle, doubling the required time-bound.

If ASIC cryptocurrency miners could find collisions for an entire key in a reasonable lifetime, cryptocurrencies based on scrypt would be literally worthless. But, they can't. They can find partial collisions.

ASICs for SHA256 don't break SHA256, and ASICs for scrypt don't break scrypt.

The scrypt used in cryptocoins has been sabotaged by limiting the amount of RAM it uses.

But, even sabotaged in that way, ASICs still aren't able to compromise keys, right? (Just as ASICs for SHA256 don't compromise Bitcoin keys.)

I'm not suggesting this clarification isn't useful, but I was replying to someone claiming that scrypt is effectively broken because there are ASICs for computing scrypt hashes, which according to my understand is not correct.

There is no hard line for "broken" when you're talking about password hashing. The availability of ASICs brings the cost per hash down significantly though. (If it didn't, nobody would bother designing ASICs.)

That sabotage was "necessitated" by the desire for fast proof-of-work verification.

With hashcash, proof attempt is as hard as proof verification, but there are other asymmetric schemes where the former is much harder.

The first such PoW was primecoin. My own design Cuckoo Cycle is another, that aims to be the most memory bound of all PoWs.

> That sabotage was "necessitated" by the desire for fast proof-of-work verification.

Oh, I understand why they did it. But it still removed the most important property of scrypt. We wouldn't have scrypt ASICs if that change hadn't been made.