Quiz Entry - updated: 2026.07.14
Why is Argon2id the modern default for password hashing, instead of fast hashes like SHA-256?
Because password hashing must be deliberately slow and memory-hard to thwart GPU/ASIC brute-force attacks. Argon2id (Password Hashing Competition winner, 2015) tunes both time and memory, defeating cheap parallel cracking.
The problem with using SHA-256 directly:
- SHA-256 is designed to be fast — billions of hashes per second on a modern GPU.
- A leaked password database hashed with SHA-256 can be cracked at 10⁹+ guesses/sec — most non-random passwords fall in minutes.
What Argon2id adds:
- Configurable time cost — number of iterations, slows down each guess.
- Configurable memory cost — each hash requires megabytes of RAM, making GPU/ASIC attacks expensive (GPU RAM is small and shared).
- Parallelism cost — degree of parallelism the legitimate verifier can use without giving the attacker the same advantage.
- "id" hybrid — combines data-independent (Argon2i, side-channel safe) and data-dependent (Argon2d, GPU-resistant) modes.
Predecessors and their issues:
| Algorithm | Year | Status |
|---|---|---|
| MD5(pw) | — | Trivial to crack |
| SHA-256(pw) | — | Same — too fast |
| PBKDF2 | 2000 | Time-hard, NOT memory-hard — vulnerable to GPU/ASIC |
| bcrypt | 1999 | Time-hard, mildly memory-hard (4 KiB), still strong |
| scrypt | 2009 | Time + memory hard, but less tunable than Argon2 |
| Argon2id | 2015 | Modern default — recommended by OWASP, IETF (RFC 9106) |
Recommended Argon2id params (OWASP 2024): memory = 19 MiB, iterations = 2, parallelism = 1 (interactive logins); higher for high-value secrets.
Tip: Never store passwords with a plain hash. Use a maintained library (libsodium, argon2-cffi, Spring Security's Argon2PasswordEncoder) — implementing Argon2 by hand is a recipe for parameter mistakes.