Argon2 is the password hashing algorithm that won the Password Hashing Competition in 2015, not because it’s the fastest, but because it’s designed to be the slowest and most expensive to attack.
Let’s see it in action. Imagine you’re building a login system. You don’t want to store user passwords as plain text. Instead, you hash them. Argon2 takes a password and a "salt" (a unique random string for each password) and produces a hash.
Here’s a simplified Python example of how you might generate a hash:
import argon2
# A user's password and a unique salt
password = b"mysecretpassword"
salt = b"somesaltthatisrandom"
# Create an Argon2 hasher instance
hasher = argon2.PasswordHasher(
time_cost=2, # Number of iterations
memory_cost=1024, # Memory in KiB
parallelism=8, # Number of threads
hash_len=32, # Length of the hash
type=argon2.Type.ID # Argon2 variant (ID, I, or D)
)
# Hash the password
hashed_password = hasher.hash(password, salt)
print(f"Hashed Password: {hashed_password}")
When a user tries to log in, you’d take their entered password, retrieve the stored salt and hash, and then re-hash the entered password with that salt using the exact same parameters. If the resulting hash matches the stored hash, the password is correct.
The real magic of Argon2 lies in its configurable parameters: time cost, memory cost, and parallelism.
- Time Cost (Iterations): This dictates how many passes the algorithm makes through the data. A higher time cost means more CPU cycles are required, making brute-force attacks significantly slower.
- Memory Cost: This specifies how much RAM the algorithm needs. Attacking passwords with high memory cost requires specialized hardware (like GPUs) to be massively parallelized, as they have limited memory per processing unit.
- Parallelism: This determines how many threads can work on the hashing process simultaneously. This is a double-edged sword: it speeds up hashing on multi-core CPUs (good for legitimate users) but also allows attackers with many cores to try more passwords per second.
Argon2 comes in three main variants, each with slightly different trade-offs:
- Argon2d: Prioritizes resistance to GPU cracking by using data-dependent memory access. This means its memory access patterns change based on the input data, making it harder for GPUs to precompute or optimize.
- Argon2i: Prioritizes resistance to side-channel attacks (like timing attacks) by using data-independent memory access. This makes it more predictable for attackers trying to infer information by measuring execution time.
- Argon2id: This is a hybrid approach, using Argon2i for the first half of the first pass and Argon2d for the rest. It offers good resistance against both GPU cracking and side-channel attacks, making it the recommended default.
The primary problem Argon2 solves is the cost of cracking passwords. Older algorithms like bcrypt or scrypt are good, but attackers have developed specialized hardware (ASICs, powerful GPUs) that can crack millions of passwords per second. Argon2’s design, particularly its memory-hard and parallelism-controllable nature, makes it much more expensive and difficult to accelerate on such custom hardware.
The "winning" in the Password Hashing Competition wasn’t about raw speed; it was about a balanced approach to security. The judges evaluated algorithms based on their resistance to various attack vectors, including brute-force, dictionary attacks, and side-channel attacks. Argon2 emerged as the best all-around performer, offering robust defenses against the most sophisticated cracking techniques.
Here’s a glimpse of what a real-world Argon2 hash might look like in your database. It’s a string that encodes the algorithm, parameters, salt, and the final hash:
$argon2id$v=19$m=102400,t=2,p=8$c29tZXNhbHQ= followed by the hash itself.
The $v=19$ indicates the version of Argon2. m=102400 is the memory cost in KiB (100 MiB here), t=2 is the time cost (2 iterations), and p=8 is the parallelism factor (8 threads). The c29tZXNhbHQ= part is the base64-encoded salt.
The most surprising true thing about Argon2 is that its design consciously avoids making hashing as fast as possible. Instead, it intentionally consumes significant amounts of memory and CPU cycles, creating a computational "wall" that dramatically increases the cost for attackers trying to brute-force passwords, while still being manageable for legitimate users on modern hardware.
The next logical step after understanding Argon2 is exploring how to securely manage and rotate these hashes in a production environment.