Pbkdf2 is extremely good. Without deeper analysis (or a feature comparison) I'd be hesitant to say that bcrypt or scrypt are better.

I sincerely mean no offense but this statement came directly out of your butt. Read the table on page 14 of Colin Percival's Usenix paper "Stronger Key Derivation Via Sequential Memory-Hard Functions" (which you could have found by Googling [scrypt paper]); PBKDF2 is ~5x faster (ie: costs ~5x less to break) than bcrypt; PBKDF2 and scrypt aren't even in the same ballpark.

From exactly where did you derive the idea that PBKDF2 is "extremely good"?

The reality is that all three of PBKDF2, bcrypt, and scrypt are just fine. But PBKDF2 and scrypt have drastically poorer library support than bcrypt; nobody should delay using a strong password hash so that they can optimize which one they use.

All three are extremely good for this use case, when the competition is SHA-1. Beyond that, I don't know enough to compare the three. So yeah, it came out of my butt.

If Colin has a paper on it then I trust his comparison. What I really meant to say is what you said: all three are just fine.

Also, I thought I remembered my comment's parent saying something stronger, either it was edited later, or I was drunk when I decided it was worth commenting on.

I just wanted to write the word "butt". Thanks for being cool about it. :)

hahahaha, well, what you wrote was worthwhile and (as far as I can tell) correct. Thanks.

Eh? PBKDF2 has configurable complexity and has found many more applications than bycrpt, from WPA2 to disk encryption. The crypto research behind PBKDF2 is much more rigorous.

Please cite one academic cryptography paper that presents an analysis of PBKDF2, other than Colin's paper which damns it.

There is virtually no "rigorous" research into KDFs of any sort, let alone password KDFs. Most academic crypto research simply presumes passwords are taken from cryptographically secure random number generators and stored securely.

And with that said I want to remind you that I just cited a source, accepted at Usenix, that measured PBKDF2, bcrypt, and scrypt and found PBKDF2 inferior to bcrypt. You seem to want to pretend otherwise.

PBKDF2 is way better than salted hashes. It's right there with bcrypt and scrypt on the "good choices" list.

Django has chosen a fine default and for the next several years it's probably unnecessary to second-guess it. Over time, GPU and (more importantly) FPGA-assisted hash cracking may or may not become more common, at which point you'd want to transition to something like scrypt.

You could literally flip a coin to decide between bcrypt and PBKDF2 and it wouldn't matter which side came up.

> which is better than nothing/md5/no salt sha1.

It's also better than salted sha1 since it performs multiple iteration rounds leading to (configurable) higher computational complexity.