It has a time space difficulty curve that's more complex, but some people like that. I will stipulate scrypt is "better" if I don't have to argue about it. :)

As an aside about scrypt since I saw it mentioned here:

How does scrypt fair against the recent TLBleed etc? Iirc intels claim was that TLBleed only affected poorly implemented crypto. But is not the memory access pattern of scrypt vulnerable to TLBleed and hard to make constant access?

OT: This is why I still come to HN. At some point the top comment chain is by tptacek (Matasano), cperciva (Tarsnap founder), lvh (Latacora), tedunangst (OpenBSD dev), willvarfar (Mill CPU). And that's a great thread!

LVH and I are Latacora. Matasano is long gone; our joking nickname for Latacora is Matwosano.

Thanks. I'll have to update my tags.

Kind of. If you can sniff the memory access pattern of scrypt, its strength drops to being the same as bcrypt.

My first guess would be that it has "too many parameters/knobs". I guess that could implicitly mean it's hard to use/easy to mess up if you don't know what each parameter means and what different values have.

I guess the same. Not sure why the downvote. The latest crypto functions expect the developer to pick parameters for the memory usage, the time to run and god knows what.

Too low and it's worse than MD5, too high and your login prompt takes a whole minute to check the password.