This is a few years old, but worth reposting, as the question comes up regularly (like it did a couple minutes ago in my Twitter stream). The goal, it reminds us, is to pick an algorithm that’s “slow as hell”:

So we’re talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I’d be cracking them every 12 years or so.

Note also that scrypt and PBKDF2 are generally recognized as valid substitutes, as the basic logic of this post still applies to those algorithms.