On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based of initialization function used in the NIST approved blowfish algorithm seems almost to good to be true. It is not vulnerable to rainbow tables (since creating them is too expensive) and not even vulnerable to brute force attacks.
However 11 years later, many are still using SHA2x with salt for storing password hashes and bcrypt is not widely adopted.
- What is the NIST recommendation with regards to bcrypt (and password hashing in general)?
- What do prominent security experts (such as Arjen Lenstra and so on) say about using bcrypt for password hashing?