Bits of entropy I understand, how you got "374" and "288" I don't.
>That’s my point. It’s not easy to get this kind of thing right, so just don’t bother with pepper.
What? Your point is that you haven't demonstrated that it's weaker than the weakest link, therefore you win?
Edit: Okay I figured out where you got 288. Still confused by the 374. Anyway you need to make truncations explicit. You didn't pass all of the sha output to bcrypt. You're taking advantage of an implementation API bug.
I'm not asking for evidence that shoving together functions from google without understanding them can go wrong. That's trivially true.
I want an example where combining hash algorithms is inherently wrong. Like using a block cypher twice can pop out your plaintext, but probably not as extreme.
>“algorithm” is, again, really vague
Something that you can use to hash passwords. What you gave works if you assume gen_salt is seeded per user.
>The weakest link here is 374 bits (4 bcrypts), but the output is 288.
I'm afraid I don't follow. Your bit numbers confuse me, and I don't see how this results in an algorithm that is weaker than either sha512 or bcrypt.