Password hashing / KDF

Argon2id

A modern password hashing function from Biryukov, Dinu, and Khovratovich (University of Luxembourg). Winner of the Password Hashing Competition (PHC) in 2015, standardized as RFC 9106 in 2021. Argon2id is the recommended default for new password storage and any slow KDF use case.

At a glance

Three flavors of Argon2

• Argon2d , data-dependent memory access; maximally memory-hard but vulnerable to side channels.
• Argon2i , data-independent memory access; side-channel safe but slightly weaker.
• Argon2id , hybrid: data-independent for the first half-pass, data-dependent thereafter. The pragmatic default.

Cost parameters

• Memory (m): KiB allocated. Typical: 64–512 MiB for interactive logins.
• Time (t): iterations over the memory matrix. Increase to slow GPU attackers without growing RAM budget.
• Parallelism (p): independent lanes computed in parallel.

Why memory-hardness matters

Attackers brute-force passwords with GPUs / FPGAs / ASICs. A memory-hard function forces a large RAM working set per password attempt , the attacker’s hardware budget grows linearly with the candidate count. GPUs have far less memory per core than CPUs do.

Where it is used

• libsodium , crypto_pwhash defaults to Argon2id.
• 1Password, Bitwarden , vault key derivation.
• Tor , onion service v3 client authorization.
• Modern PHP / Python / Rust frameworks , default password storage.

Choosing parameters

RFC 9106 baseline recommendations: t=1, m=2 GiB, p=4(high-security server) or t=3, m=64 MiB, p=4(memory- constrained). Tune until interactive logins take 100–500 ms on the real server hardware.

Try it

The KDF Lab includes Argon2id with interactive t, m, p sliders so you can feel how cost scales.

References

• RFC 9106 , Argon2 Memory-Hard Function for Password Hashing
• Password Hashing Competition (PHC) , Argon2 won
• scrypt · bcrypt · PBKDF2