Argon2 is a memory-hard password hashing and key derivation function that won the Password Hashing Competition in 2015. Argon2 is more secure than other key derivation algorithms such as scrypt, bcrypt, and PBKDF2 when configured correctly.
However, Argon2 is more resource hungry compared to algorithms like PBKDF2, which can run with very little memory. This is why many password managers such as Bitwarden still use PBKDF2 despite it being considerably less secure against GPU and ASIC attacks.
Argon2 has three modes:
- Argon2d maximises resistance to GPU cracking attacks but can be vulnerable to side-channel attacks.
- Argon2i maximises resistance to side-channel attacks but is weaker against time-memory-trade-off (TMTO) attacks.
- Finally, Argon2id is the recommended mode for most applications and follows Argon2i for the first half pass over memory and then uses the Argon2d approach for other passes over memory. Argon2id is resistant to timing attacks and has side-channel attack resistance due to the use of Argon2i.
The Internet Draft recommends using Argon2id with as much memory as possible (a high memory size), one pass over memory (one iteration), and a parallelism of twice the number of CPU cores. For details about the Argon2 parameters, please read the Key Derivation documentation.
- Developed by: Alex Biryukov, Daniel Dinu, and Dmitry Khovratovichn
- First published: 2014-2015 (Password Hashing Competition)
- Best attack: There have been no published attacks for Argon2id and Argon2d. However, there have been two published attacks on Argon2i, which have demonstrated that this mode requires multiple passes over memory (more than 10 passes) to be secure. (Source)
BLAKE2 is a cryptographic hash function that is faster than SHA2 and SHA3 whilst providing at least the same security as SHA3. BLAKE2 also supports keyed hashing and can be used as a MAC (message authentication code). BLAKE2 is used in Argon2 and a variety of protocols such as WireGuard.
There are two main BLAKE2 modes:
- BLAKE2b is optimized for 64-bit platforms and produces hashes of 1-64 bytes in length. BLAKE2b has 12 rounds.
- BLAKE2s is designed for 8-32-bit platforms and produces hashes of 1-32 bytes in length. BLAKE2s has 10 rounds.
BLAKE2b is the most common mode in software. There are also several other BLAKE2 variants such as BLAKE2bp, BLAKE2sp, BLAKE2x as explained here.
- Developed by: Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein
- First published: 2012
- Best attacks: Pseudo-preimage attacks on 7.5 rounds of Blake2b with 2^510.3 operations. Boomerang distinguishers for 8.5 rounds of Blake2b with complexity 2^474. Both are impractical attacks. (Source)