The bcrypt key derivation function requires a larger (but
still fixed) amount of RAM and is slightly stronger
against such attacks, while the more modern scrypt key
derivation function can use arbitrarily large amounts of
memory and is much stronger. (wikipedia)
Basically they recommend PBKDF2. This does not mean that
they deem bcrypt insecure; they say nothing at all about
bcrypt. It just means that NIST deems PBKDF2 "secure
enough" ... On the other hand, bcrypt comes from Blowfish
which has never received any kind of NIST blessing (or
curse). (stackexchange)
The general consensus here over the past few months/years is that bcrypt is good enough, scrypt is probably better, and PBKDF2 is pretty good. And that ALL of them are much better than hashing+salt.
