Fascinating and excellent article. There is simply no excuse for not following this advice today.

To add an additional reference: here's what a python implementation looks like (The whole code!):

from werkzeug.security import generate_password_hash

h = generate_password_hash('12345')

The value of h looks like (notice the $s):


The first part pbkdf2:sha256:150000 is the algorithm run 150000 times; the second part "e6H1etAe" is the salt, and the rest is the hash itself.