Bitcoinica: Salted BCrypt with 20 iterations. Enforce minimum 8 characters. It can take months to crack a simple password. (And I use this for all my future app projects. Also recommend everyone to do the same.)
I assume you mean Salted Bcrypt w/ workload=20, that is 2^20 = 1 million iterations. Slightly harder.
A single round of bcrypt takes roughly 5x the clock cycles as long as SHA-256 (OpenCL optimized). Thus bcrypt(20) is on the magnitude of 5 million times harder to crack than salted SHA-256 hash.
Another way to look at it. If a hacker could brute force a given password hashed SHA-256 in 1 second it would take them 57 days on bcrypt(20).
There is absolutely no reason to use anything weaker than bcrypt (or similar chained iterative functions like PBKDF2 or scrypt).
pass - stupid
MD5(pass) - cryptographically weak
SHA-256(pass) - vulnerable to rainbow tables
SHA-256(pass.salt) - vulnerable to brute force
bcyrpt(pass,salt,2^10) - vulnerable to weak/common password list
bcyrpt(strongpass*,salt,2^10) - computationally infeasible to attack
strongpass being enforced by the site as
8+ char
not in dictionary
not in known password list
