Bcrypt and Argon 2, well Argon2i to be accurate (there are five variants which each tackle different use cases), are currently the best options for hashing passwords.
Bcrypt is the time-tested solution, while Argon 2 was the winner of the password hashing competition a few years ago and is relatively new meaning that the cryptographic community has had less time to analyse it's flaws and it's less portable across languages / platforms due to to people having had less time to write implementations for it.
The advantages of Argon 2 is that unlike Bcrypt, there isn't a limit on the number of characters you can have in a password (around 50 bytes for bcrypt, depending on the language, a character might take up one or more bytes up-to a surprisingly high number in some) and it has higher memory requirements, so it's supposedly harder to crack with GPUs and what-not (although, the memory requirements tend to be brought down on production webservers to save resources).
For Argon 2, the number of threads, amount of memory, iterations, etc. can be tweaked independently of each other, while with bcrypt, you get a single number which you set as the "cost" making scaling the requirements when you have surplus resources in an area more difficult.
Plus, Argon 2 is also supposed to deal with certain types of side channels, etc., if I recall, which should make it tougher in some areas.
As for the one which has the cooler name, it would have to be Argon 2 lol
Bcrypt is the time-tested solution, while Argon 2 was the winner of the password hashing competition a few years ago and is relatively new meaning that the cryptographic community has had less time to analyse it's flaws and it's less portable across languages / platforms due to to people having had less time to write implementations for it.
The advantages of Argon 2 is that unlike Bcrypt, there isn't a limit on the number of characters you can have in a password (around 50 bytes for bcrypt, depending on the language, a character might take up one or more bytes up-to a surprisingly high number in some) and it has higher memory requirements, so it's supposedly harder to crack with GPUs and what-not (although, the memory requirements tend to be brought down on production webservers to save resources).
For Argon 2, the number of threads, amount of memory, iterations, etc. can be tweaked independently of each other, while with bcrypt, you get a single number which you set as the "cost" making scaling the requirements when you have surplus resources in an area more difficult.
Plus, Argon 2 is also supposed to deal with certain types of side channels, etc., if I recall, which should make it tougher in some areas.
As for the one which has the cooler name, it would have to be Argon 2 lol
Last edited:
