Regarding peppering pls. see my former statement. If one discloses the number of rounds applied then the system is as secure (or insecure) as before - it just takes a bit more computing power to calculate. Beside that there is the point that if you do too many rounds on some algorithms the entropy tends to decrease - in effect decreasing the security of the final result (also stated in the link you provided as a caveat for system design iirc). On salting I already said that I do see the point of making life easier for end users. More on that later.
well read up on bcrypt please, as far as I remember, and it has been a few years I looked at the details so I might be wrong, the bcrypt saves the number of iterations and the salt used with the hash.
Yes it is going to be over powered some time in the future, when that time comes, I might change my policy to change passwords daily or even weekly from once every three or four months that is now and I'll still be secure.
The bottom line is that it is not as easy to overpower as you seem to think try it for your self and see.
OK - I should have more generally state "intelligence agencies" as I ment "NSA" only exemplaric. Sorry for that and matter closed from my side.
I know, but spreading rumors doesn't serve any one. I do not mind reading any evidence or facts that you might have though.
As said above I do see the point of making life easier for end users. However I do think that end users should understand what they are doing and if things are made too easy then users mostly forget about the implications.
Actually eradication of implication knowledge is one of the things that makes a product easier to use. So yeah that is what all products should strive for. Educating users costs to much, making sure that anyone can use a product is less expensive (fool proof products).
And things have the nasty tendency to come back and bite you. In the specific case I would ask the user to provide a strong password, tell him how this should look like and how to work with it. If he then does not provide one - e.g. he can not remember complicated ones, doesn't understand the importance, etc. - I can still enhance it by salting. But even then I would tell him what I did.
You do know that for the last 20 years or so the weak link in security is the user, right? Doesn't matter how much you can educate them any daily activity becomes a burden the more difficult an activity is the more chances it has to be dropped or by passed. Telling a user what you did or how the password system works is outside your obligations, instead of spending time educating people, that should know nothing about encryption password and its implications, it would be best to spend that time to make sure that even if the user fails, the system will not be compromised. You can for example give out only daily passwords, which after the work hours the password/pin or what ever it is, is no longer valid, give out cards as extra precaution (eg the credit/debit cards and pin), cards that can have the user name or password embedded (or both) and never leave the shop (something like the punch cards for time tracking) etc. What ever you do the user/people must be cut out the authentication process as much as possible that is why bio sensors where invented in the first place.
So, you are handling wrong in my opinion but that is outside the scope of this thread.
And that is the ultimate goal of encryption / cryptography.
Here I tend to disagree. The ultimate goal of cryptography is "information security, data integrity, authentication, and non-repudiation".
You have to protect the data for a specific time after which it makes no sense to protect them, for example protecting a credit card number after the card's expiration date.