Cryptography – Post 3: Discovering Argon2

Today I learned why even bcrypt — which I thought was solid — isn’t the end of the road for password hashing.
Argon2 takes it further, and for good reason.

Why Argon2?

I already knew SHA-256 was too fast.
I learned that bcrypt slows things down and adds salt automatically — great.
But modern attacks don’t just use CPUs. They use GPUs, FPGAs, and even ASIC hardware to brute-force passwords fast.

Argon2 was designed to fight back.

What makes Argon2 special?

It’s a password hashing algorithm that won a global competition (PHC, 2015)
It uses RAM aggressively, not just CPU
It lets you tune 3 parameters:
- How much memory it uses
- How many iterations (time)
- How many CPU cores (parallelism)

That makes it resistant to brute-force attacks even with expensive hardware.

Argon2id — the recommended variant

Argon2 has 3 types:

argon2d: faster, but weak against timing attacks
argon2i: stronger, slower
argon2id: best of both — and the one widely recommended

Using Argon2 in Python

It’s surprisingly simple with the argon2-cffi library:

from argon2 import PasswordHasher

ph = PasswordHasher()
hash = ph.hash("supersecret")
ph.verify(hash, "supersecret")  # returns True

Salt is automatic
You don’t need to store anything separately
The hash includes parameters and salt

Why I liked it:

I get control: RAM, time, parallelism
It’s built to handle modern attack techniques
The code is readable, the design intentional
And it feels like something designed for security, not just for developers