Argon2 Hash Generator
Generate Argon2id password hashes with configurable memory cost, time cost, and parallelism.
- Home
- > Hash & Security >
- Argon2 Hash Generator
Argon2 is the winner of the Password Hashing Competition (2015) and the OWASP-recommended algorithm for password storage. It is designed to be resistant to GPU and ASIC-based brute-force attacks.
What is Argon2?
Argon2 is a memory-hard password hashing function that won the Password Hashing Competition in 2015. It was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg. Argon2 is standardized as RFC 9106 and is recommended by OWASP as the primary password hashing algorithm.
There are three Argon2 variants:
- Argon2d — Data-dependent memory access. Optimized for resistance against GPU and ASIC attacks. Suitable for cryptocurrencies and systems with no threat of side-channel attacks.
- Argon2i — Data-independent memory access. Optimized for resistance against side-channel attacks. Suitable for password hashing and key derivation.
- Argon2id (recommended) — Hybrid mode. Uses Argon2i for the first half of the first pass and Argon2d for the rest. Provides the best of both worlds — side-channel resistance and GPU/ASIC resistance.
Argon2id Hash Format
$argon2id$v=19$m=65536,t=4,p=2$bHc5VnpWLzlLSzFFcU9KQQ$GpHak5rWbGkzER1MBcN5GUhG4RWd0Lle1HqHoXHl8sA
$argon2id$— Algorithm variantv=19— Version (0x13 = 19)m=65536,t=4,p=2— Memory (KiB), time cost, parallelism- Next — Base64-encoded salt (16 bytes)
- Last — Base64-encoded hash (variable length)
Argon2 vs Bcrypt
| Feature | Argon2id | Bcrypt |
|---|---|---|
| Memory-hard | Yes — configurable memory cost | Limited — fixed ~4 KB |
| Parallelism | Configurable threads | Single-thread only |
| GPU/ASIC resistance | Strong (memory-hard) | Good (salt + cost) |
| Side-channel resistance | Yes (Argon2id hybrid) | Partial |
| Max password length | Unlimited | 72 bytes |
| Output hash length | Variable (default 32 bytes) | Fixed 60 chars |
| Algorithm age | 2015 (winner of PHC) | 1999 |
| OWASP recommendation | Primary | Secondary |
How to Use This Argon2 Generator
- Enter a password — Type or paste the password you want to hash.
- Set memory cost — Higher values require more RAM. Default is 64 MB (65,536 KiB).
- Set time cost — Number of iterations. Default is 4.
- Set parallelism — Number of threads. Default is 2.
- Click "Generate Argon2 Hash" — The server computes the hash using PHP's
password_hash()withPASSWORD_ARGON2ID. - Copy the hash — Use the copy button to save the hash.
Frequently Asked Questions
Which Argon2 variant does PHP use?
PHP's password_hash() with PASSWORD_ARGON2ID uses the Argon2id variant, which is the most secure and recommended variant. It combines the side-channel resistance of Argon2i with the GPU/ASIC resistance of Argon2d.
What are recommended Argon2id parameters?
OWASP recommends the following minimums: memory cost = 19 MiB (19,456 KiB), time cost = 2, parallelism = 1. For production, start with the defaults (m=65536, t=4, p=2) and benchmark to find the maximum values that keep hash time under 500 ms on your server hardware.
Can I use Argon2 in Laravel?
Yes. Laravel uses bcrypt by default, but you can switch to Argon2 by setting 'driver' => 'argon2id' in config/hashing.php. This requires the PHP sodium extension (bundled with PHP 8.0+).
Is Argon2 backward compatible?
Yes. You can add Argon2 support to an existing system without breaking existing passwords. When verifying, use password_verify() which automatically detects the algorithm used to create the hash. You can then rehash old bcrypt hashes to Argon2 upon successful login using password_needs_rehash().
Why is Argon2 slow on this server?
Argon2 is designed to be intentionally slow and memory-hungry. The default parameters (64 MB memory, 4 iterations) require significant processing time, especially on shared hosting. This is a feature, not a bug — the same slowness that affects legitimate users also affects attackers trying to brute-force stolen hashes.
