Argon2

Argon2 is the winner of the Password Hashing Competition (2015) and is currently the recommended algorithm for password hashing. It offers configurable memory, time, and parallelism parameters with three variants for different use cases.

Argon2 Variants

• Argon2d: Maximizes resistance to GPU cracking (data-dependent memory access)
• Argon2i: Optimized for resistance to side-channel attacks (data-independent)
• Argon2id: Hybrid mode - recommended for password hashing

Parameters

argon2id(password, salt, time_cost, memory_cost, parallelism)

time_cost: Number of iterations
memory_cost: Memory usage in KB
parallelism: Number of parallel threads

# Hash format:
$argon2id$v=19$m=65536,t=3,p=4$c2FsdHNhbHQ$hash

Usage Example

# Python with argon2-cffi
from argon2 import PasswordHasher

ph = PasswordHasher(
    time_cost=3,
    memory_cost=65536,  # 64MB
    parallelism=4
)

# Hash password
hash = ph.hash("secretpassword")

# Verify password
try:
    ph.verify(hash, "secretpassword")
except VerifyMismatchError:
    print("Invalid password")

Recommended Parameters (OWASP)

• Argon2id: m=47104 (46 MB), t=1, p=1
• Or: m=19456 (19 MB), t=2, p=1
• Minimum: m=15360 (15 MB), t=2, p=1

See Also

• bcrypt
• scrypt
• Password Salt