What is Argon2, what makes it secure, and what three parameters define its Work Factor?
Argon2 is the modern standard password-hashing function — deliberately slow and memory-hard, parameterised by memory, iterations, and parallelism.
Why "deliberately slow"? Password hashing fights offline attacks. The defender hashes once at login (~100 ms). The attacker has to hash every guess (billions of times). If the hash is fast, GPUs/ASICs win. If it's slow AND requires lots of memory per attempt, you neutralise the attacker's hardware advantage.
The three Argon2 parameters (the Work Factor):
| Parameter | Symbol | Effect |
|---|---|---|
| Minimal Memory Size | m |
RAM required per hash computation. Big m defeats GPU/ASIC parallelism (they can't fit thousands of parallel hashes if each needs 64 MB). |
| Number of Iterations | t |
How many passes over memory. More iterations = more time. |
| Degree of Parallelism | p |
How many threads each computation may use. Tuning between server CPU and security. |
Variants of Argon2:
| Variant | Best for | Resistance |
|---|---|---|
| Argon2d | Cryptocurrency, side-channel-free environments | GPU/ASIC |
| Argon2i | Password hashing where side-channel risk is high | Side-channel timing |
| Argon2id | General purpose — use this one | Combines both |
Recommended parameters (OWASP, 2024):
m≥ 19 MiB (19,456 KiB),t≥ 2,p= 1 — minimum.- More memory is generally better than more iterations if you have RAM to spare.
Argon2 included goodies:
- Built-in salt generation — no need to manage it separately.
- Encoded output includes the algorithm, parameters, salt, and hash in one string like
$argon2id$v=19$m=19456,t=2,p=1$<salt>$<hash>→ portable across systems, no schema needed.
Tip: Argon2 won the 2013–2015 Password Hashing Competition (PHC), beating Catena, Lyra2, yescrypt, and others. Use Argon2id unless you have a specific reason not to. bcrypt is still acceptable for legacy systems; scrypt is also fine. Avoid PBKDF2 except for FIPS compliance — it's not memory-hard.