For password hashing, bcrypt *is* better, by design. There's absolutely no ambiguity here, the consensus is fully in favour of bcrypt. Hashes like SHA512 are general purpose, designed to run really fast, whereas bcrypt is explicitly for secure hashing and is deliberately, tuneably slow. There are many articles on the subject, here are some (from *5 years ago*!):
http://codahale.com/how-to-safely-store-a-password/ http://blog.codinghorror.com/speed-hashing/ Frankly I'm shocked this is even being questioned. Without bcrypt in libc, all apps that rely on libc for hashing (I've just run into it with dovecot in 14.04) are not as secure as they should be. Hasn't this been flagged by the Ubuntu security team? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1349252 Title: crypt(3) lacks Blowfish support Status in glibc package in Ubuntu: Won't Fix Status in linux package in Ubuntu: Invalid Bug description: crypt(3) bundled with Ubuntu's GNU C Library supports MD5, DES, SHA256 and SHA512 hashing methods, but lacks support for Blowfish (aka bcrypt). There is a patch available from Openwall: http://www.openwall.com/crypt/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1349252/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp