{
    "slug": "argon2",
    "term": "Argon2 Password Hashing",
    "category": "security",
    "difficulty": "intermediate",
    "short": "The Password Hashing Competition winner (2015) — a memory-hard algorithm that resists GPU and ASIC brute-force attacks better than bcrypt.",
    "long": "Argon2 comes in three variants: Argon2d (GPU resistance), Argon2i (side-channel resistance), and Argon2id (recommended — hybrid of both). It has three tunable cost parameters: memory (in KiB), time (iterations), and parallelism (threads), making it far more flexible than bcrypt's single cost factor. In PHP 7.2+, use PASSWORD_ARGON2ID with password_hash(). The OWASP recommendation is Argon2id with at least 19 MiB memory, 2 iterations, and 1 parallelism thread as a minimum configuration.",
    "aliases": [
        "Argon2id",
        "Argon2i",
        "memory-hard hashing"
    ],
    "tags": [
        "cryptography",
        "passwords",
        "php8"
    ],
    "misconception": "Any Argon2 variant is equally secure. Argon2i is vulnerable to GPU cracking; Argon2d is vulnerable to side-channel attacks. Use Argon2id for password hashing — it combines protections from both.",
    "why_it_matters": "Argon2 is deliberately memory-hard, meaning GPU and ASIC attacks that crack bcrypt in seconds still take days — it sets the current gold standard for password storage.",
    "common_mistakes": [
        "Using PASSWORD_DEFAULT in password_hash() and not knowing it may not select Argon2 on older PHP.",
        "Setting memory cost too low (less than 65536 KB) and negating the memory-hardness benefit.",
        "Comparing hashes with === instead of password_verify(), which breaks timing-safe comparison.",
        "Storing the raw hash output without the algorithm prefix, losing upgrade path information."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "bcrypt",
        "salted_hash",
        "password_hash",
        "password_verify"
    ],
    "prerequisites": [
        "bcrypt",
        "password_hash",
        "key_derivation_functions"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.password-hash.php",
        "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
    ],
    "bad_code": "password_hash($pwd, PASSWORD_BCRYPT); // bcrypt fine but Argon2id preferred",
    "good_code": "password_hash($pwd, PASSWORD_ARGON2ID, ['memory_cost' => 65536, 'time_cost' => 4, 'threads' => 1]);",
    "quick_fix": "Use PASSWORD_ARGON2ID as the algorithm in password_hash() — it is memory-hard making GPU brute force impractical even with hardware attackers",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/argon2",
        "html_url": "https://codeclaritylab.com/glossary/argon2",
        "json_url": "https://codeclaritylab.com/glossary/argon2.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Argon2 Password Hashing](https://codeclaritylab.com/glossary/argon2) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/argon2"
            }
        }
    }
}