Yeah, I used HashCat to attack a Bcrypt hash before. I could do roughly 10-11 thousand attempts per second.
You did take note I wasn't just HMACing and encrypting the password though, right? I don't want any confusion. I was using a password hashing function.
That's what makes Bcrypt so great. Smashing through a dictionary against a compromised database is painful, and you can make it even more painful by cranking up the difficulty factor. It's very resistant against brute force attacks.
HMAC is meant for other things, like signing, where you're not dealing with brute-force attacks, where instead performance, authentication and verification are what matters. It's not in any way intended for, nor suitable to use as a password hash.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.