Argon2Verify()

edit

Verifies a password against an Argon2 hash. Use this instead of the deprecated Argon2CheckHash() / VerifyArgon2Hash().

Requires Extension: Crypto Extension

Argon2Verify( input=string, hash=string, throwOnError=boolean );

Returns: Boolean

Argument Description Default
input
string, required 		edit

Password to verify
hash
string, required 		edit

Argon2 hash to check against
throwOnError
boolean, optional 		edit

If true, throws an exception on invalid hash format instead of returning false

false

Usage Notes

edit

The hash encodes which variant and parameters were used, so you don't need to specify them when verifying. This means you can upgrade your hashing parameters over time without breaking existing stored hashes.

By default, invalid or malformed hashes return false. Pass throwOnError=true if you want an exception instead — useful for catching data corruption. A wrong password always returns false regardless of this setting.

Replaces the deprecated Argon2CheckHash() and VerifyArgon2Hash().

Examples

edit 
// Hash a password at registration time
hash = Argon2Hash( "user-password" );
// Store 'hash' in your database

// At login, verify the password against the stored hash
isValid = Argon2Verify( "user-password", hash ); // true
isWrong = Argon2Verify( "wrong-password", hash ); // false

// Argon2Verify works with all three variants (argon2i, argon2d, argon2id)
// The variant is encoded in the hash, so you don't need to specify it
hashI = Argon2Hash( "password", "argon2i", 1, 8192, 1 );
hashD = Argon2Hash( "password", "argon2d", 1, 8192, 1 );
Argon2Verify( "password", hashI ); // true
Argon2Verify( "password", hashD ); // true

// Invalid hashes return false by default
result = Argon2Verify( "password", "not-a-valid-hash" ); // false

// Pass throwOnError=true to get an exception on invalid hashes
// Note: a wrong password still returns false, only malformed hashes throw
try {
	Argon2Verify( "password", "not-a-valid-hash", true );
} catch ( e ) {
	// handle the error
}

See also