Argon2 vs bcrypt vs PBKDF2 Comparison
Choosing the right password hashing algorithm — Argon2, bcrypt, and PBKDF2 compared on security and speed.
Published:
Tags: Argon2 vs bcrypt comparison, password hashing algorithm comparison, which is better bcrypt or Argon2
Argon2 vs bcrypt vs PBKDF2 Comparison Choosing the wrong password hashing algorithm can turn a database breach into a mass credential compromise. The three mainstream options — Argon2, bcrypt, and PBKDF2 — all provide meaningful protection over plain hashes, but they differ significantly in their resistance to modern GPU and ASIC attacks. --- Why Fast Hashes Are Wrong for Passwords? Before comparing the three, it's worth understanding why algorithms like SHA-256, SHA-512, or MD5 are inappropriate for password storage. These functions are designed for speed. A single RTX 4090 GPU achieves approximately: | Hash function | Hashes/second (GPU) | |--------------|---------------------| | MD5 | ~164 billion | | SHA-256 | ~22 billion | | SHA-512 | ~7.5 billion | | bcrypt (cost 12) | ~15,000 | |…
Frequently Asked Questions
Which password hashing algorithm should I use in 2026?
For new systems without regulatory constraints: Argon2id, with OWASP-minimum parameters (m=19456, t=2, p=1). For FIPS 140 environments: PBKDF2-HMAC-SHA256 at 600,000+ iterations. For existing systems already using bcrypt: bcrypt at cost factor 12+ remains acceptable — migration to Argon2 is worthwhile for new systems but not urgent for well-configured bcrypt deployments.
How does Argon2 compare to bcrypt?
Argon2 is memory-hard (uses significant RAM per hash), making GPU and ASIC attacks far more expensive than against bcrypt. bcrypt is only CPU-bound, which means modern GPUs can test millions of passwords per second at lower cost factors. Additionally, bcrypt silently truncates passwords at 72 bytes, which Argon2 does not. For new systems, Argon2id is the superior choice.
What makes Argon2 better for memory-hard hashing?
Argon2 fills a configurable amount of RAM (the memory parameter m) with pseudorandom data during each hash operation, then reads from it in a pattern that requires holding all of it. This means GPU attacks are limited by VRAM — a GPU with 8 GB can run far fewer parallel Argon2 operations than SHA-256 or bcrypt operations. Hardware cost for attacking Argon2 grows proportionally with the memory parameter.
Why is MD5 not suitable for passwords?
MD5 (and SHA-1, SHA-256, SHA-512 used directly) are general-purpose hash functions designed to be fast. MD5 can run at ~10 billion operations per second on a modern GPU. An attacker with a stolen database of MD5-hashed passwords can run comprehensive dictionary attacks in minutes. Password hashing functions are intentionally slow and resource-intensive; MD5 is not.
What are GPU attacks on password hashes?
A GPU attack uses a graphics card's thousands of parallel cores to test many password candidates simultaneously. Against MD5, a single RTX 4090 can test ~164 billion hashes per second. Against bcrypt at cost 12, it tests ~15,000 per second. Against Argon2id at m=65536, it tests far fewer due to VRAM limits. Memory-hard algorithms like Argon2 constrain GPU attacks at the hardware level.
All articles · theproductguy.in