bcrypt

That is a most peculiar way to describe the operation of bcrypt.

Unless you believe that is an insufficient barrier, implementing BCrypt is merely degrading the user experience (12-second logins?

SCrypt improves on BCrypt by being both slow on general purpose hardware and resistant to simple hardware speedups.

So on OpenBSD the hashes are bcrypt and rounds are based on system performance as per man crypt_checkpass?

So it doesn't really make sense in context that the salt, pepper, and password were concatenated and passed to bcrypt.

Perhaps he was talking about the SHA-1 stretching; perhaps they hash the passwords with SHA-1 before passing it to bcrypt.

How to make a reasonbly-decent webapp in 2015 without having to worry about bcrypt and open redirects and such: 1.

It takes 10 hours for two fast cores to attack one single password across 32MM BCrypt hashes with the default cost factor.

No, you cannot simply scale your way to a BCrypt cracker using cloud servers.

Calculating a BCrypt hash with the default cost factor takes about as long as reading an uncached file off a conventional filesystem.

And if you really had 80 chars of preliminary table condiments and your bcrypt implementation truncated at 72 -- well that's just textbook.

The only implementations of bcrypt (and crypt(3)) that I've seen that's NOT vulnerable to this are Golang and Python.

You can tune BCrypt so that just "12345", by itself, is too painful to run across 32MM rows to be worth a PR stunt.

I think anything ending in "KDF" gives me warm fuzzies, and that whatever you code in already has a library for BCrypt.

The only acceptable advice in this situation is "use bcrypt".

BCrypt is "optimized" to be slow - tuneably slow.

Bcrypt is a very easy to use hashing tool that exists in all popular languages.