Remix.run Logo
FabHK 9 days ago

Latacora, 2018: In order of preference, use scrypt, argon2, bcrypt, and then if nothing else is available PBKDF2.

So even 7 years ago bcrypt was only the 3rd recommended option.

internetter 9 days ago | parent | next [-]

You'll find that opinion is still divided among these three options. And bcrypt is harder to mess up. It has less parameters (it doesn't fall apart as easy) and salting is built in, whereas its not for scrypt and argon2. If, knowing nothing else about the competency of the programmer, I had to choose between an application using scrypt, argon2 and bcrypt, I'd pick bcrypt any day.

LVB 9 days ago | parent | prev [-]

They follow with:

"But, seriously: you can throw a dart at a wall to pick one of these... In practice, it mostly matters that you use a real secure password hash, and not as much which one you use.