User Rating 0.0 ★★★★★

Total Usage 0 times

Category Security

Password / Input Text

UTF-8 encoded. Any text or password.

Salt (Hex)

16-byte random hex. Auto-generated if empty.

Variant

Time Cost (t) Iterations: 1–16

Memory Cost (KiB) 256–65536 KiB

Parallelism (p) Lanes: 1–8

Hash Length (bytes) Output: 4–64 bytes

Salt Length (bytes)

Presets:

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Argon2 is the winner of the 2015 Password Hashing Competition and is specified in RFC 9106. It is a memory-hard function designed to resist GPU and ASIC attacks by requiring a configurable amount of RAM per hash computation. Choosing weak parameters - low memory cost m or time cost t - directly reduces the cost an attacker pays to crack each password. This tool computes Argon2d, Argon2i, and Argon2id hashes entirely in your browser using a pure JavaScript implementation of the full algorithm including the Blake2b compression function. No data leaves your machine.

OWASP recommends Argon2id with a minimum memory cost of 19456 KiB (19 MiB) and time cost t ≥ 2. This tool defaults to those parameters. Note: computation time scales linearly with t and m. Very high memory values may cause the browser tab to run out of memory on devices with limited RAM. The parallelism parameter p defines logical lanes but does not multithread in this single-worker implementation; it still affects the output hash.

Formulas

Argon2 operates on a memory matrix B of q blocks, each 1024 bytes. The total block count is derived from the memory parameter:

q = m4 ⋅ p ⋅ 4 ⋅ p

The initial hash H₀ is computed via Blake2b over all input parameters concatenated:

H₀ = Blake2b(p || τ || m || t || v || type || password || salt || secret || ad)

Each block is filled using the compression function G, which is derived from the Blake2b round function applied to two 1024-byte inputs:

B[i][j] = G(B[i][j − 1], B[l][z])

After t passes, the final block is the XOR of the last block in each lane, then passed through variable-length Blake2b hash H′ to produce the τ-byte tag.

Tag = H′(B[0][q₀ − 1] ⊕ B[1][q₁ − 1] ⊕ … ⊕ B[p − 1][q_p−1 − 1])

Where p = parallelism (number of lanes), t = time cost (iterations), m = memory cost in KiB, τ = desired output hash length in bytes, v = version (0x13), type = variant identifier (0, 1, or 2), and ⊕ denotes bitwise XOR.

Reference Data

Parameter	Symbol	RFC 9106 Default	OWASP Minimum	High Security	Description
Variant	-	Argon2id	Argon2id	Argon2id	Hybrid of data-dependent and data-independent indexing
Time cost (iterations)	t	1	2	4	Number of passes over memory
Memory cost	m	2²¹ KiB	19456 KiB	65536 KiB	RAM in KiB allocated for the hash
Parallelism	p	4	1	4	Number of independent computational lanes
Hash length	τ	32 bytes	32 bytes	64 bytes	Length of the output digest
Salt length	-	16 bytes	16 bytes	32 bytes	Random nonce; must be unique per password
Block size	-	1024 bytes	-	-	Fixed internal block size
Argon2d	-	Type 0	Not recommended alone	-	Data-dependent indexing; vulnerable to side-channel attacks
Argon2i	-	Type 1	Not recommended alone	-	Data-independent indexing; weaker tradeoff resistance
Argon2id	-	Type 2	Recommended	Recommended	First pass half uses Argon2i, rest uses Argon2d
Max password length	-	2³² − 1 bytes	-	-	Practical limit; UTF-8 encoded
Encoded format	-	$argon2id$v=19$...	-	-	PHC string format for storage
Internal hash	-	Blake2b	-	-	Used for initial hashing and compression
Version	v	0x13 (19)	19	19	Current version identifier

Frequently Asked Questions

Use Argon2id. It combines the side-channel resistance of Argon2i (data-independent addressing in the first half of the first pass) with the stronger tradeoff resistance of Argon2d (data-dependent addressing for all other passes). RFC 9106 and OWASP both recommend Argon2id as the primary choice for password hashing.

Start with the OWASP baseline: memory m = 19456 KiB (19 MiB) and time t = 2. Then increase m until hashing takes approximately 0.5-1 second on your target hardware. If memory is constrained, increase t instead. The goal is to make each hash expensive enough that brute-force attacks become economically infeasible while keeping the user-facing latency acceptable.

Reusing a salt allows an attacker to build a single precomputed table (rainbow table) that cracks all passwords sharing that salt. Each password must have a unique, cryptographically random salt of at least 16 bytes. This tool generates a random salt by default using crypto.getRandomValues(), which is a CSPRNG.

No. The parallelism parameter p defines the number of independent memory lanes in the algorithm. A native implementation can process lanes concurrently on multiple CPU cores. This browser-based implementation runs in a single Web Worker thread, so lanes are computed sequentially. However, changing p changes the output hash because it alters the memory layout and block count calculation.

Bcrypt uses a fixed 4 KiB of RAM, making it vulnerable to massively parallel GPU attacks. PBKDF2 uses negligible memory and is even easier to parallelize on GPUs. Argon2 requires configurable, potentially large amounts of RAM per hash (e.g., 64 MiB), which makes each GPU core or ASIC lane far more expensive to equip with dedicated memory. This memory-hardness is Argon2's primary advantage.

The PHC string format is: $argon2id$v=19$m=19456,t=2,p=1$BASE64_SALT$BASE64_HASH. It encodes all parameters needed to verify a password. Store this complete string in your database. To verify, parse the parameters and salt from the string, re-hash the candidate password with the same parameters, and compare the resulting hash. This tool outputs the encoded string for direct storage use.

Yes. Each block is 1024 bytes. A memory cost of 65536 KiB (64 MiB) allocates roughly 64 million bytes in the Web Worker. On mobile devices with limited per-tab memory budgets (often 256 - 512 MiB), values above 131072 KiB may trigger an out-of-memory error. This tool caps memory at 65536 KiB for browser safety.