Skip to content

Choosing the password hashing library

Jump to bottom Edit New page
David Whitlock edited this page Feb 15, 2019 · 1 revision

Argon2 is currently considered to be the strongest password hashing function, and it is the one we recommend.

Bcrypt and Pbkdf2 are viable alternatives, but they are less resistant, than Argon2, to attacks using GPUs or dedicated hardware.

Argon2

Argon2 is the winner of the Password Hashing Competition (PHC).

Argon2 is a memory-hard password hashing function which can be used to hash passwords for credential storage, key derivation, or other applications.

Being memory-hard means that it is not only computationally expensive, but it also uses a lot of memory (which can be configured). This means that it is much more difficult to attack Argon2 hashes using GPUs or dedicated hardware.

More information is available at the Argon2 reference C implementation repository

Bcrypt

Bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazières. Bcrypt is an adaptive function, which means that it can be configured to remain slow and resistant to brute-force attacks even as computational power increases.

Bcrypt has no known vulnerabilities and has been widely tested for over 15 years. However, as it has a low memory use, it is susceptible to GPU cracking attacks.

Bcrypt versions

This version of Bcrypt is based on the OpenBSD version, and it supports the '2b' (the newer, recommended version) and '2a' prefixes. It does not support the '2y' prefix, which is used by the Openwall version of Bcrypt. However, Bcrypt hashes with the '2y' prefix are meant to be fully compatible with the OpenBSD '2b' prefixed hashes, and so you should be able to change the prefix and then use them with Comeonin / Bcrypt_elixir. More information can be found here.

Pbkdf2

Pbkdf2 is a password-based key derivation function that uses a password, a variable-length salt and an iteration count and applies a pseudorandom function to these to produce a key.

Pbkdf2 has no known vulnerabilities and has been widely tested for over 15 years. However, like Bcrypt, as it has a low memory use, it is susceptible to GPU cracking attacks.

The original implementation of Pbkdf2 used SHA-1 as the pseudorandom function, but this version uses HMAC-SHA-512, the default, or HMAC-SHA-256.

Pbkdf2 output format

The modular crypt format is the default output. Also supported are the output format that Django uses, as well as hex output.

Add a custom footer
Add a custom sidebar
Clone this wiki locally