Similar gains might be realized by proper use of "pepper", something I hadn't hear of until a month ago. TL;DR: You add another secret, never stored in the database, string to the password before hashing. The benefit is that a database dump does not contain the information needed to crack the passwords.
Alternately, Dropbox uses AES256 using the pepper as the key as the last step. The benefit there is that you can easily change the pepper if it has been compromised.
2 comments
[ 2.8 ms ] story [ 13.3 ms ] threadExample: bcrypt.hashpw(hashlib.sha512(password + pepper).digest(), bcrypt.gensalt(10))
https://en.wikipedia.org/wiki/Pepper_(cryptography)
Alternately, Dropbox uses AES256 using the pepper as the key as the last step. The benefit there is that you can easily change the pepper if it has been compromised.
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-...