
Ask HN: Is bcrypt still the state of the art for password hashing - xiaodai
I have been doing some courses on building backend servers with user login systems. The algorithm bcrypt is mentioned alot as an algorithm to securely hash passwords (salting &amp; peppering). I wonder if bcrypt is still state of the art when it comes to password hashing? Is it still a secure option?
======
moviuro
See OWASP's recommendations:
[https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet)

> Argon2[7] is the winner of the password hashing competition and should be
> considered as your first choice for new applications;

> PBKDF2 [4] when FIPS certification or enterprise support on many platforms
> is required;

> scrypt [5] where resisting any/all hardware accelerated attacks is necessary
> but support isn’t.

> bcrypt where PBKDF2 or scrypt support is not available.

------
slater
Yeh.

