[tptacek]

That Stack Overflow post doesn't refute John Graham-Cumming's point, which is that the cryptographic strength of a salt doesn't change the security of a secure password system. The salt is there to randomize the hashes; it doesn't resist active attacks. People that obsess on the security of their salt values misunderstand the design of secure hash systems.

Bcrypt is demonstrably more secure than SHA-512. You can look to the Openwall GPU password cracking project for illustration of how. It is easier to speed up SHA2 on a GPU than it is to speed up bcrypt. Scrypt is markedly different from SHA2; it's designed specifically to be difficult to optimize with GPUs (a property bcrypt has only accidentally at present).

Moreover: the best practice for using SHA2 as a password hash is to use PBKDF2, which is not simply iterating SHA2 (you can learn more about PBKDF2 on Wikipedia). Iterated SHA2 is a fine answer for existing applications that need the simplest possible path to something better than a salted hash, but it's not a good answer for new designs.

Your responses to both these points appear to be materially wrong.