Picking a password hash: A developer's guide to argon2, bcrypt, and scrypt

Password hashing is a critical aspect of securing stored passwords, with bcrypt, scrypt, and Argon2 being the primary algorithms used to ensure passwords are not stored in plaintext and are resistant to brute-force attacks. Each algorithm has its distinct strengths and weaknesses based on factors like CPU and memory hardness, resistance to side-channel attacks, and parameter tunability. Bcrypt, introduced in 1999, is widely used and battle-tested but is primarily CPU-hard, making it less resistant to parallel attacks on GPUs. Scrypt, designed in 2009, incorporates memory-hardness to counteract GPU and ASIC attacks but involves more complex parameter configurations. Argon2, the winner of the Password Hashing Competition in 2015, offers the strongest resistance to modern hardware attacks and comes in three variants to balance between side-channel resistance and time-memory tradeoff threats. While Argon2id is the recommended default for its robust defense capabilities, scrypt remains a strong alternative where Argon2 is unavailable, and bcrypt serves as a secure fallback for legacy systems. The choice of algorithm should also consider the surrounding practices such as using unique salts, tuning parameters for specific hardware, and planning for parameter migration to ensure comprehensive security.