Argon2id vs bcrypt: Choosing the Right Password Hashing Algorithm
December 1, 2025
by ODD4 Team
Password hashing is one of those things that seems simple on the surface but has significant implications for your application's security. If you're building authentication systems today, you've likely encountered two main contenders: bcrypt and Argon2id. Both are considered secure, but they have different strengths and trade-offs worth understanding.
#What Makes a Good Password Hash?
Before comparing the two algorithms, it helps to understand what we're optimizing for. A good password hashing algorithm should be:
- Slow by design: Unlike general-purpose hashes like SHA-256, password hashes intentionally take time to compute. This makes brute-force attacks impractical.
- Memory-intensive: Using significant RAM makes it harder to parallelize attacks using GPUs or custom hardware.
- Resistant to side-channel attacks: The algorithm shouldn't leak information through timing differences or other observable behaviors.
#bcrypt: The Proven Veteran
bcrypt has been around since 1999 and has withstood over two decades of scrutiny. It's based on the Blowfish cipher and includes a configurable work factor that lets you increase computation time as hardware improves.
#How bcrypt works
bcrypt takes your password, a random salt, and a cost factor. It then runs the Blowfish key schedule 2^cost times, making the hash exponentially more expensive to compute as you increase the cost.
$2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
│ │ └── 22-character salt + 31-character hash
│ └── cost factor (12 = 2^12 iterations)
└── algorithm version
#bcrypt strengths
- Battle-tested for 25+ years
- Widely supported in every major programming language
- Simple API with salt generation built in
- Cost factor makes it adaptable to faster hardware
#bcrypt limitations
- Fixed memory usage (around 4KB) makes it vulnerable to GPU and ASIC attacks
- Maximum password length of 72 bytes
- No built-in parallelism parameter
#Argon2id: The Modern Standard
Argon2 won the Password Hashing Competition in 2015 and was specifically designed to address the limitations of older algorithms. Argon2id is the recommended variant, combining resistance to both side-channel attacks and GPU-based attacks.
#How Argon2id works
Argon2id has three tunable parameters:
- Time cost: Number of iterations over memory
- Memory cost: Amount of RAM required (in KB)
- Parallelism: Number of threads that can be used
This gives you fine-grained control over the security and performance trade-offs.
$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$hash
│ │ │ │ │
│ │ │ │ └── parallelism (4 threads)
│ │ │ └── time cost (3 iterations)
│ │ └── memory cost (64 MB)
│ └── version
└── variant
#Argon2id strengths
- Memory-hard design makes GPU and ASIC attacks significantly more expensive
- Three tunable parameters for precise security configuration
- No practical password length limit
- Designed with modern attack vectors in mind
- Recommended by OWASP and included in many security standards
#Argon2id limitations
- Newer, with less time in production environments
- More complex to configure correctly
- Library support, while good, isn't quite as universal as bcrypt
#Security Comparison
The key difference comes down to memory hardness. bcrypt uses a fixed 4KB of memory, which means attackers can run thousands of parallel bcrypt computations on a single GPU. Each GPU core has limited memory, but 4KB is trivial.
Argon2id configured to use 64MB of RAM changes this equation dramatically. A GPU with 8GB of memory can only run around 125 parallel Argon2id computations, compared to potentially millions of bcrypt hashes.
In practical terms, this means an attacker with specialized hardware has a much harder time cracking Argon2id hashes at scale.
#Performance Considerations
Both algorithms can be tuned to take roughly the same amount of time per hash. The difference is what's happening during that time:
| Aspect | bcrypt | Argon2id |
|---|---|---|
| CPU usage | High | Configurable |
| Memory usage | ~4KB fixed | 32MB to 1GB+ typical |
| Parallelization | Not supported | Built-in parameter |
| Hash time | Typically 100-500ms | Typically 100-500ms |
For most web applications, either algorithm can be configured to hash passwords in a reasonable time frame (100-500ms) without noticeable impact on user experience.
#Which Should You Choose?
#Choose Argon2id if:
- You're starting a new project with no existing password hashes
- Your infrastructure can allocate 64MB+ of RAM per authentication request
- You want the strongest protection against hardware-accelerated attacks
- You're following current security recommendations (OWASP, NIST)
#Stick with bcrypt if:
- You have an existing system already using bcrypt
- Your environment has strict memory constraints
- Library support for Argon2 is limited in your ecosystem
- You prefer the simplicity of a single cost parameter
#Recommended parameters
For Argon2id, OWASP recommends starting with:
- Memory: 19456 KB (19 MB) minimum, 64 MB preferred
- Iterations: 2 minimum
- Parallelism: 1
For bcrypt:
- Cost factor: 10 minimum, 12 recommended
#Migration Strategy
If you're currently using bcrypt and want to move to Argon2id, there's no need for a forced password reset. A common approach:
- Keep the existing bcrypt hashes in your database
- When a user logs in successfully, re-hash their password with Argon2id
- Store a hash version indicator alongside the hash
- Gradually, your user base migrates to the new algorithm as they log in
This approach is transparent to users and allows you to improve security without disruption.
#The Bottom Line
Both bcrypt and Argon2id are secure choices for password hashing in 2024. bcrypt remains a solid option, especially for existing systems. However, if you're building something new and have the infrastructure to support it, Argon2id offers stronger protection against the kinds of attacks that are becoming more accessible as hardware improves.
The most important thing isn't which algorithm you choose. It's that you're using a proper password hashing algorithm at all, with appropriate parameters for your security requirements.
