Fascinating and excellent article. There is simply no excuse for not following this advice today.

To add an additional reference: here's what a python implementation looks like (The whole code!):

from werkzeug.security import generate_password_hash

h = generate_password_hash('12345')

The value of h looks like (notice the $s):

pbkdf2:sha256:150000$e6H1etAe$6b03629692fa289a7f7f59905ea9d407a89351164927aba5dce2ac01782ff0ba

The first part pbkdf2:sha256:150000 is the algorithm run 150000 times; the second part "e6H1etAe" is the salt, and the rest is the hash itself.

--

--