Argon2id: Secure Password Hashing

G5 Cyber Security

2 months ago

TL;DR

Argon2id is a modern password hashing algorithm that’s much stronger than older methods like bcrypt or scrypt. This guide shows you how to configure it correctly for maximum cyber security, balancing strength against performance.

Configuring Argon2id: A Step-by-Step Guide

Understand the Parameters

Time Cost (t): How many iterations of the algorithm to run. Higher = slower, more secure.
Memory Cost (m): The amount of RAM used in kilobytes. Higher = more secure, requires more server resources.
Parallelism (p): The number of parallel threads used. Usually matches your CPU core count.

Choose Sensible Defaults

Picking the right values is crucial. Here are recommended starting points:

Time Cost (t): 3
Memory Cost (m): 12288 KB (12MB) – This is a good balance for most systems.
Parallelism (p): 1 or the number of CPU cores, whichever is lower.

Implementation Examples

The exact implementation varies depending on your programming language and framework.

Python (using passlib)

from passlib.hash import argon2_id

hash = argon2_id.hash('mysecretpassword')
print(hash)

# Verify the password:
argon2_id.verify('mysecretpassword', hash)

PHP (using password_hash and password_verify)

$password = 'mysecretpassword';
$hash = password_hash($password, PASSWORD_ARGON2ID);
print($hash);

// Verify the password:
if (password_verify('mysecretpassword', $hash)) {
  echo "Password is correct!";
}

Node.js (using bcrypt – it supports Argon2id)

const bcrypt = require('bcrypt');

async function hashPassword(password) {
  const saltRounds = 10; // Equivalent to time cost, memory and parallelism.
  const hash = await bcrypt.hash(password, saltRounds);
  return hash;
}

hashPassword('mysecretpassword').then(hashedPassword => console.log(hashedPassword));

Note: The Node.js example uses `saltRounds` which is a combined parameter. Adjust this value based on your server’s capabilities.

Test Your Configuration

Use timing attacks to measure the hashing time. It should take around 0.5-1 second for reasonable parameters. If it’s much faster, increase ‘t’ or ‘m’.
Verify that password verification works correctly after a successful hash.

Storage Considerations

Store the Argon2id hash securely in your database.
Never store passwords in plain text!
Consider using a dedicated password manager library for added security features.

Regularly Review and Update

Cyber security threats evolve. Periodically review your Argon2id configuration to ensure it remains strong enough against current attacks.