Argon2 - Modern Password Hashing Algorithm
About 2 min read
Argon2 is a password hash function that won the 2015 Password Hashing Competition (PHC). Designed as a memory-hard function, it offers strong resistance against parallel attacks by GPUs and ASICs. As of 2025, it is the password hashing algorithm most recommended by OWASP and the first choice for storing passwords in new systems.
Historical Background
The history of password hashing is a race against the evolution of attackers' hardware. Beginning with Unix crypt (1976), bcrypt (1999) introduced the concept of a cost factor. However, bcrypt is CPU-bound and could not adequately counter the massive parallel processing of GPUs. scrypt (2009) introduced the concept of memory-hardness, but the difficulty of parameter design was a challenge. Against this backdrop, the PHC was held in 2013, and Argon2 was selected as the winning algorithm out of 24 candidates.
The Three Variants
Uses a data-dependent memory access pattern. It offers the highest resistance to GPU attacks but is vulnerable to side-channel attacks. Suited for server-side uses such as cryptocurrency mining.
Uses a data-independent memory access pattern. It is strong against side-channel attacks but its GPU resistance is inferior to Argon2d. Suited for use in shared environments.
A hybrid of Argon2d and Argon2i. The first half uses the Argon2i approach to ensure side-channel resistance, while the second half uses the Argon2d approach to deliver GPU resistance. The standard choice for password hashing.
The Significance of Memory-Hard Functions
Conventional hash functions depended only on CPU computation speed, so a brute-force attack could be carried out rapidly through parallel computation on a GPU with thousands of cores. Memory-hard functions solve this problem by requiring a large amount of memory for computation. Although GPUs have many compute cores, the memory per core is limited, making parallel execution of memory-intensive algorithms difficult. Even against attacks using ASICs (dedicated hardware), equipping large amounts of memory is costly and reduces the economic rationality of the attack.
Comparison with bcrypt and scrypt
| Characteristic | bcrypt | scrypt | Argon2id |
|---|---|---|---|
| Year introduced | 1999 | 2009 | 2015 |
| Memory-hard | ✗ | ✓ | ✓ |
| GPU resistance | Low | Medium | High |
| Parameter tuning | Cost only | CPU + memory + parallelism | CPU + memory + parallelism |
| Input length limit | 72 bytes | None | None |
| OWASP recommendation rank | 2nd | 3rd | 1st |
Parameter Design
The performance of Argon2id is controlled by three parameters: memory amount, number of iterations (time cost), and parallelism. The recommended settings from OWASP as of 2025 are as follows.
Increasing the amount of memory improves security, but it also increases the server's resource consumption. The practical balance is to allocate as much memory as possible while keeping login processing latency within one second. The full picture of how to store passwords securely is explained in the secure password management guide.cryptography and security books on Amazon let you study this in greater depth.
Common Misconceptions
Some say, "Argon2 is slow, so I don't want to use it," but the slowness is precisely the design intent. Password hashing is deliberately made slow to limit the rate at which attackers can make attempts. A legitimate user logs in only once, but an attacker needs hundreds of millions of attempts, so the higher the cost per attempt, the greater the defensive effect. It also provides strong defense against rainbow table attacks through the combination of salt and memory-hardness. For basic knowledge of cryptography, refer also to the article the basics of encryption.
Was this article helpful?