Evaluation: Password Hashing

Argon2 (Argon2id)

Advantages

• Designed to resist GPU/ASIC attacks through memory hardness
• Highly configurable, means that you can configure memory, time (iterations), parallelism
• Considered modern best practice
• Won the PHC (Password hashing competition) in 2015

Disadvantages

• Quite Complex to configure therefore requires careful parameter tuning
• Not available in very old libraries or legacy systems

bcrypt

Advantages

• Widely supported and tested
• A single work factor (cost) makes configuration simple
• Resistant to brute force through computational cost

Disadvantages

• Not memory-hard so more vulnerable to GPU/ASIC attacks

• Has a 72-byte limit on password length

PBKDF2

Advantages

• Standardized
• Available in most languages and frameworks
• Easy to implement

Disadvantages

• Purely CPU-bound and not memory-hard making it weaker against GPU/ASIC attacks
• Requires high iteration counts for strong security

How they work

Argon2id: Combines the memory-hard computations and multiple passes to resist GPU/ASIC attacks, combined with a data-dependent and data-independent memory access.

bcrypt: uses the blowfish cipher internally and repeatedly applies it to the password + salt.

PBKDF2: applies a standard hash function such as (SHA-256) to the password + salt and hashes the password + salt multiple times, potentially even thousands to hundreds of thousands times.

Conclusion

We decided to use PBKDF2 as it is built into Dotnet and its easier to configure. It is also older (been around since 2000), making it unlikely to be abandoned by Microsoft as they still use it. We should try to implement it and if the result is bad or it is harder to configure than we anticipated we could consider a change to Argon2id.