AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Generate Argon2id password hashes with configurable memory cost, time cost, and parallelism.
Argon2 is the winner of the Password Hashing Competition (2015) and the OWASP-recommended algorithm for password storage. It is designed to be resistant to GPU and ASIC-based brute-force attacks.
Argon2 is a memory-hard password hashing function that won the Password Hashing Competition in 2015. It was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg. Argon2 is standardized as RFC 9106 and is recommended by OWASP as the primary password hashing algorithm.
There are three Argon2 variants:
$argon2id$v=19$m=65536,t=4,p=2$bHc5VnpWLzlLSzFFcU9KQQ$GpHak5rWbGkzER1MBcN5GUhG4RWd0Lle1HqHoXHl8sA
$argon2id$ — Algorithm variantv=19 — Version (0x13 = 19)m=65536,t=4,p=2 — Memory (KiB), time cost, parallelism| Feature | Argon2id | Bcrypt |
|---|---|---|
| Memory-hard | Yes — configurable memory cost | Limited — fixed ~4 KB |
| Parallelism | Configurable threads | Single-thread only |
| GPU/ASIC resistance | Strong (memory-hard) | Good (salt + cost) |
| Side-channel resistance | Yes (Argon2id hybrid) | Partial |
| Max password length | Unlimited | 72 bytes |
| Output hash length | Variable (default 32 bytes) | Fixed 60 chars |
| Algorithm age | 2015 (winner of PHC) | 1999 |
| OWASP recommendation | Primary | Secondary |
password_hash() with PASSWORD_ARGON2ID.PHP's password_hash() with PASSWORD_ARGON2ID uses the Argon2id variant, which is the most secure and recommended variant. It combines the side-channel resistance of Argon2i with the GPU/ASIC resistance of Argon2d.
OWASP recommends the following minimums: memory cost = 19 MiB (19,456 KiB), time cost = 2, parallelism = 1. For production, start with the defaults (m=65536, t=4, p=2) and benchmark to find the maximum values that keep hash time under 500 ms on your server hardware.
Yes. Laravel uses bcrypt by default, but you can switch to Argon2 by setting 'driver' => 'argon2id' in config/hashing.php. This requires the PHP sodium extension (bundled with PHP 8.0+).
Yes. You can add Argon2 support to an existing system without breaking existing passwords. When verifying, use password_verify() which automatically detects the algorithm used to create the hash. You can then rehash old bcrypt hashes to Argon2 upon successful login using password_needs_rehash().
Argon2 is designed to be intentionally slow and memory-hungry. The default parameters (64 MB memory, 4 iterations) require significant processing time, especially on shared hosting. This is a feature, not a bug — the same slowness that affects legitimate users also affects attackers trying to brute-force stolen hashes.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026