Argon2Hash()
Generates an Argon2 password hash with OWASP-recommended defaults (argon2id, 19 MB memory, 2 iterations). Use this instead of the deprecated GenerateArgon2Hash().
Requires Extension: Crypto Extension
Argon2Hash( input=string, variant=string, parallelismFactor=numeric, memoryCost=numeric, iterations=numeric );
Returns: String
| Argument | Description | Default |
|---|---|---|
|
input
string,
required
|
edit
Password to hash |
|
|
variant
string,
optional
|
edit
Argon2 variant: argon2i, argon2d, or argon2id |
argon2id |
|
parallelismFactor
numeric,
optional
|
edit
Parallelism factor (1-10) |
1 |
|
memoryCost
numeric,
optional
|
edit
Memory cost in KB (8-100000). OWASP recommends 19456 (19 MB). |
19456 |
|
iterations
numeric,
optional
|
edit
Number of iterations (1-20) |
2 |
Usage Notes
editArgon2 is the recommended password hashing algorithm for new applications. It won the Password Hashing Competition in 2015 and is recommended by OWASP.
Which variant? Use the default argon2id — it combines side-channel resistance (from argon2i) with GPU/ASIC resistance (from argon2d). Only use argon2i or argon2d if you have specific requirements.
Choosing parameters: The defaults (19 MB memory, 2 iterations, parallelism 1) follow OWASP recommendations. Increase memory cost first, then iterations. The goal is to make hashing take around 0.5–1 second on your hardware.
Why not BCrypt or SCrypt? Argon2 is newer and has tuneable memory-hardness. BCrypt has a 72-byte password limit and no memory-hardness. SCrypt is memory-hard but harder to tune correctly. If you need compatibility with Adobe ColdFusion, use BCryptHash() instead.
Replaces the deprecated GenerateArgon2Hash(), which uses weaker defaults for backwards compatibility.
Examples
edit// Argon2Hash uses OWASP-recommended defaults: argon2id, 19 MB memory, 2 iterations
// This is the recommended password hashing function for new applications
hash = Argon2Hash( "my-secret-password" );
// Output is in PHC format: $argon2id$v=19$m=19456,t=2,p=1$salt$hash
// Like BCrypt, each call produces a different hash due to random salting
hash1 = Argon2Hash( "password" );
hash2 = Argon2Hash( "password" );
// hash1 != hash2
// Verify with Argon2Verify()
isValid = Argon2Verify( "my-secret-password", hash ); // true
// Custom parameters: variant, parallelism, memoryCost (KB), iterations
// argon2id is recommended - it combines side-channel resistance (argon2i)
// with GPU resistance (argon2d)
hash = Argon2Hash( "password", "argon2id", 2, 19456, 2 );
// Other variants are available if you have specific requirements
hashI = Argon2Hash( "password", "argon2i", 1, 8192, 2 );
hashD = Argon2Hash( "password", "argon2d", 1, 8192, 2 );
See also
- Cryptography
- Argon2CheckHash()
- Argon2Verify()
- GenerateArgon2Hash()
- VerifyArgon2Hash()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)