Nice intro to hashing and bcrypt library. I've tended to favor pbkdf2 lately, mostly because it's "in the box" and has generally been a hard requirement (NIST recommended) for some of the work I do (government clients).
I would suggest considering going to 12 rounds over 10, if your deployment server can handle it. It does become a potential DDoS attack vector if you aren't tracking/limiting failed attempts by user and IP.
tracker1 1915 days ago. link 2 points ▲ ▼