argon2

Hash passwords using the Argon2 algorithm

TLDR

Hash a password

$ echo -n "password" | argon2 [salt] -e

Hash with Argon2id variant

$ echo -n "password" | argon2 [salt] -id -e

Hash with custom parameters

$ echo -n "password" | argon2 [salt] -t [3] -m [16] -p [4] -e

Output raw bytes instead of encoded form

$ echo -n "password" | argon2 [salt] -r

Pin to Argon2 version 13 (current standard)

$ echo -n "password" | argon2 [salt] -v [13] -e

SYNOPSIS

argon2 salt [-d|-i|-id] [-t iterations] [-m memory] [-p parallelism] [-l length] [-e|-r] [-v 10|13]

argon2 is a command-line tool for the Argon2 password hashing algorithm, winner of the Password Hashing Competition in 2015. It provides strong, memory-hard password hashing resistant to GPU and ASIC attacks.The tool supports Argon2d (data-dependent), Argon2i (data-independent), and Argon2id (hybrid) variants.

PARAMETERS

-d

Use Argon2d (data-dependent, GPU-resistant). Default is Argon2i.

-i

Use Argon2i (data-independent, side-channel resistant). This is the default if no variant flag is given.

-id

Use Argon2id (hybrid; recommended for password hashing).

-t N

Time cost (iterations). Default: 3.

-m N

Memory cost expressed as 2^N KiB. Default: 12 (4 MiB).

-p N

Parallelism (threads). Default: 1.

-l N

Output hash length in bytes. Default: 32.

-e

Print only the encoded hash (PHC string format).

-r

Print only the raw hash bytes.

-v 10|13

Argon2 algorithm version. Default: 13.

-h

Display tool usage and exit.

CAVEATS

Salt must be provided as a positional argument and should be at least 8 random bytes. Higher memory/time costs improve security but increase computation time. Argon2id is recommended for password hashing. The CLI hashes only — there is no built-in verification mode; verify hashes from a library that understands the PHC-encoded output.

HISTORY

Argon2 was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich, winning the Password Hashing Competition in 2015. It's recommended by OWASP for password hashing.