Which is the recommended library for hashing passwords in Kotlin/Ktor? E.g. bcrypt does not appear to have an official Kotlin library.

If you're running your server on the JVM, you can (and probably should) just use the Java standard library. An example with PBKDF2: https://www.baeldung.com/java-password-hashing

I haven’t used PBKDF2 before - looks like it’s similar to BCrypt, with salts. Are you using the Spring Security library?

You could do that and it would be a very safe bet, but I'm not.

PBKDF2 is NOT similar to bcrypt. PBKDF = password based key derivation function. You are using a password to derive a key. This is not even remotely the same as bcrypt, which is a hashing algorithm with an associated cost that helps prevent someone from using brute force to crack passwords on your system.

Many people do use pbkdf2 to hash passwords to prevent brute force attacks on a leaked database, and as near as I can tell this use is still blessed by NIST. BCrypt is better at resisting such attacks because attackers can't use GPUs as easily, and it is probably the correct choice going forward, but comparing the two is not comparing apples to oranges. They're both widely used for the same purpose: hashing passwords to slow down brute force attacks.

I would just use BCrypt with the spring-security-crypto, simple, secure and widely used.