# Argon2Hash()

Generates an Argon2 password hash with OWASP-recommended defaults (argon2id, 19 MB memory, 2 iterations). Use this instead of the deprecated GenerateArgon2Hash().

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
Argon2Hash( input=string, variant=string, parallelismFactor=numeric, memoryCost=numeric, iterations=numeric );
```

**Returns:** string

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| input | string | Yes | Password to hash |  |
| variant | string | No | Argon2 variant: argon2i, argon2d, or argon2id | argon2id |
| parallelismFactor | numeric | No | Parallelism factor (1-10) | 1 |
| memoryCost | numeric | No | Memory cost in KB (8-100000). OWASP recommends 19456 (19 MB). | 19456 |
| iterations | numeric | No | Number of iterations (1-20) | 2 |

# Usage Notes

Argon2 is the recommended password hashing algorithm for new applications. It won the Password Hashing Competition in 2015 and is recommended by OWASP.

**Which variant?** Use the default `argon2id` — it combines side-channel resistance (from argon2i) with GPU/ASIC resistance (from argon2d). Only use `argon2i` or `argon2d` if you have specific requirements.

**Choosing parameters:** The defaults (19 MB memory, 2 iterations, parallelism 1) follow OWASP recommendations. Increase memory cost first, then iterations. The goal is to make hashing take around 0.5–1 second on your hardware.

**Why not BCrypt or SCrypt?** Argon2 is newer and has tuneable memory-hardness. BCrypt has a 72-byte password limit and no memory-hardness. SCrypt is memory-hard but harder to tune correctly. If you need compatibility with Adobe ColdFusion, use [BCryptHash()](bcrypthash.md) instead.

Replaces the deprecated [GenerateArgon2Hash()](generateargon2hash.md), which uses weaker defaults for backwards compatibility.

# Examples

```cfml
// Argon2Hash uses OWASP-recommended defaults: argon2id, 19 MB memory, 2 iterations
// This is the recommended password hashing function for new applications
hash = Argon2Hash( "my-secret-password" );
// Output is in PHC format: $argon2id$v=19$m=19456,t=2,p=1$salt$hash

// Like BCrypt, each call produces a different hash due to random salting
hash1 = Argon2Hash( "password" );
hash2 = Argon2Hash( "password" );
// hash1 != hash2

// Verify with Argon2Verify()
isValid = Argon2Verify( "my-secret-password", hash ); // true

// Custom parameters: variant, parallelism, memoryCost (KB), iterations
// argon2id is recommended - it combines side-channel resistance (argon2i)
// with GPU resistance (argon2d)
hash = Argon2Hash( "password", "argon2id", 2, 19456, 2 );

// Other variants are available if you have specific requirements
hashI = Argon2Hash( "password", "argon2i", 1, 8192, 2 );
hashD = Argon2Hash( "password", "argon2d", 1, 8192, 2 );
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[Argon2CheckHash()](argon2checkhash.md), [Argon2Verify()](argon2verify.md), [GenerateArgon2Hash()](generateargon2hash.md), [VerifyArgon2Hash()](verifyargon2hash.md)