[monster2control]

Just an FYI, NIST still recommends SHA-2 for password hashing, they still don't see enough benefit from Bcrypt with the advent of super fast ASIC and FPGAs. Scrypt and Argon2 are too immature. Coldfusion isn't a reason for not using either as cold fusion can run any Java code very easily. Python can run C code easily. So bindings for any language is never a reason as long as you know how to use your tools. Bcrypt does add some extra benefits over SHA-2 for typical offline password hacking. So it's still a good step. It would be foolish to go with Agon2 as it only won the Password Hashing contest a little over 6 months ago. Bcrypt has been found to be solid for other 15 years now and has had tons of eye balls on it. Scrypt has had issue in the past and hasn't been nearly as scrutinized as Bcrypt. The fact of the matter is, the good guys aren't working as hard as the bad guys when it comes to good security.