Salted Password Hashing with Argon2, Scrypt, Bcrypt, and PBKDF2
If you are unfamiliar with cryptography concepts or the vocabulary it uses, or especially you are looking for guidance on “password encryption”, please read this page first.
We’ve previously said that even security advice should carry an expiration date. So unlike most of our past blog posts, this page should be considered a living document: As requirements change and new attacks are discovered, we will update it accordingly.
Semantic point: Don’t store the password, store a hash of the password. (Obligatory.)
Modern, Secure, Salted Password Hashing Made Simple
The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?
Easiest Solution: Use libsodium, which provides a secure password hashing API in most languages. As of version 1.0.8 it uses the scrypt algorithm, but in the next release (1.0.9) it will also offer Argon2, the most recent, carefully-selected algorithm from the Password Hashing Competition. Libsodium offers bindings for most programming languages.
Note: There is a published attack on Argon2i, the recommended variant of Argon2 for general purpose password hashing. The practical implications aren’t severe, but it may lead to a new variant (“Argon2x” perhaps, since it would presumably use XOR instead of overwriting memory to mitigate these attacks) being christened and recommended.
If you, for whatever reason, cannot reconcile your requirements with installing libsodium, you have other options. In preparing this blog post, our security team has investigated several password hashing libraries in multiple programming languages. What follows is our current recommendations for secure password storage with example code.
Acceptable Password Hashing Algorithms
Although there is disagreement about how to rank them, cryptography experts agree that these algorithms are the only ones you should be using to store passwords in 2016:
- Argon2, the Password Hashing Competition winner.
- The other Password Hashing Competition finalists (Catena, Lyra2, Makwa, and yescrypt)
- PBKDF2 (nearly everyone except FIPS agrees this is the worst of the acceptable options)