Password Hashing Competition and our recommendation for hashing passwords: Argon2





PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST's AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner,



We recommend that use you use Argon2 rather than legacy algorithms. You'll find the specifications and reference code just below.



Password hashing is everywhere, from web services' credentials storage to mobile and desktop authentication or disk encryption systems. Yet there wasn't an established standard to fulfill the needs of modern applications and to best protect against attackers. We started the Password Hashing Competition (PHC) to solve this problem.PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST's AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner, Argon2 , an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.We recommend that use you use Argon2 rather than legacy algorithms. You'll find the specifications and reference code just below.

Argon2 GitHub repo containing the specs and code (latest release)

Specifications PDF, including rationale and analysis The reference code is C89-compliant C, licensed under



There are two main versions of Argon2, Argon2i and Argon2d. Argon2i is the safest against side-channel attacks, while Argon2d provides the highest resistance against GPU cracking attacks.



Argon2i and Argon2d are parametrized by A time cost, which defines the execution time

cost, which defines the execution time A memory cost, which defines the memory usage

cost, which defines the memory usage A parallelism degree, which defines the number of threads See the



Bindings are available for most languages. The reference code is C89-compliant C, licensed under CC0 , a.k.a. public domain. It should compile on x86 and x86_64 architectures, as well as most ARM architectures (except for the code optimized for x86 and x86_64). It should compile on Linux, OS X, and Windows OS', as well as MinGW environments.There are two main versions of Argon2, Argon2i and Argon2d. Argon2i is the safest against side-channel attacks, while Argon2d provides the highest resistance against GPU cracking attacks.Argon2i and Argon2d are parametrized bySee the README for detailed instructions. You can try Argon2 online on argon2.online Bindings are available for most languages.

PHC The Password Hashing Competition (PHC) was initiated by Jean-Philippe Aumasson in fall 2012, and organized thanks to a panel joined by Tony Arcieri (@bascule, Square) Dmitry Chestnykh (@dchest, Coding Robots), Jeremi Gosney (@jmgosney, Stricture Consulting Group), Russell Graves (@bitweasil, Cryptohaze), Matthew Green (@matthew_d_green, Johns Hopkins University), Peter Gutmann (University of Auckland), Pascal Junod (@cryptopathe, HEIG-VD), Poul-Henning Kamp (FreeBSD), Stefan Lucks (Bauhaus-Universität Weimar), Samuel Neves (@sevenps, University of Coimbra), Colin Percival (@cperciva, Tarsnap), Alexander Peslyak (@solardiz, Openwall), Marsh Ray (@marshray, Microsoft), Jens Steube (@hashcat, Hashcat project), Steve Thomas (@Sc00bzT, TobTu), Meltem Sonmez Turan (NIST), Zooko Wilcox-O'Hearn (@zooko, Least Authority Enterprises), Christian Winnerlein (@codesinchaos, Pactas), Elias Yarrkov (@yarrkov).



In Q1 2013 we published the Catena, for its agile framework approach and side-channel resistance (Catena-v5.tar.gz)

Lyra2, for its elegant sponge-based design, and alternative approach to side-channel resistance (Lyra2-v3.tar.gz)

Makwa, for its unique delegation feature and its factoring-based security (Makwa-v1.tar.gz)

yescrypt, for its rich feature set and easy upgrade path from scrypt (yescrypt-v2.tar.gz) The Password Hashing Competition (PHC) was initiated by Jean-Philippe Aumasson in fall 2012, and organized thanks to a panel joined by Tony Arcieri (@bascule, Square) Dmitry Chestnykh (@dchest, Coding Robots), Jeremi Gosney (@jmgosney, Stricture Consulting Group), Russell Graves (@bitweasil, Cryptohaze), Matthew Green (@matthew_d_green, Johns Hopkins University), Peter Gutmann (University of Auckland), Pascal Junod (@cryptopathe, HEIG-VD), Poul-Henning Kamp (FreeBSD), Stefan Lucks (Bauhaus-Universität Weimar), Samuel Neves (@sevenps, University of Coimbra), Colin Percival (@cperciva, Tarsnap), Alexander Peslyak (@solardiz, Openwall), Marsh Ray (@marshray, Microsoft), Jens Steube (@hashcat, Hashcat project), Steve Thomas (@Sc00bzT, TobTu), Meltem Sonmez Turan (NIST), Zooko Wilcox-O'Hearn (@zooko, Least Authority Enterprises), Christian Winnerlein (@codesinchaos, Pactas), Elias Yarrkov (@yarrkov).In Q1 2013 we published the call for submissions , and by the deadline on March 31, 2014 we had received 24 submissions . In December 2014 we shortlisted 9 finalists and published a short report . In July 2015 we announced Argon2 as a winner and gave special recognition to four of the finalists: