And a mere four years later they added a format that uses bcrypt... in a PBKDF2 construction? (I haven't found a motivation why, though Ted Unangst's post on it just says "I know about scrypt".)

Scrypt is "excessively parameterized." ;)

I don't mean to sound stupid; but I am, so it comes out that way.

What does this mean? Does it mean it's hard to use, or easy to mess up or something else?

It has a time space difficulty curve that's more complex, but some people like that. I will stipulate scrypt is "better" if I don't have to argue about it. :)

As an aside about scrypt since I saw it mentioned here:

How does scrypt fair against the recent TLBleed etc? Iirc intels claim was that TLBleed only affected poorly implemented crypto. But is not the memory access pattern of scrypt vulnerable to TLBleed and hard to make constant access?

OT: This is why I still come to HN. At some point the top comment chain is by tptacek (Matasano), cperciva (Tarsnap founder), lvh (Latacora), tedunangst (OpenBSD dev), willvarfar (Mill CPU). And that's a great thread!

LVH and I are Latacora. Matasano is long gone; our joking nickname for Latacora is Matwosano.

Thanks. I'll have to update my tags.

Kind of. If you can sniff the memory access pattern of scrypt, its strength drops to being the same as bcrypt.

My first guess would be that it has "too many parameters/knobs". I guess that could implicitly mean it's hard to use/easy to mess up if you don't know what each parameter means and what different values have.

I guess the same. Not sure why the downvote. The latest crypto functions expect the developer to pick parameters for the memory usage, the time to run and god knows what.

Too low and it's worse than MD5, too high and your login prompt takes a whole minute to check the password.

I think the history is a little more complex than that. It's not like provos was unaware of key stretching.

The article says its inherited from OpenSSL..?