Argon2id Hash Generator & VerifierPrivacy: All processing runs locally

Generate and verify Argon2id password hashes with configurable memory cost, time cost, parallelism, salt, and output length — entirely in your browser.

Local playground. Everything runs in your browser using WASM. Do not paste real production passwords into online tools. Production password hashing belongs on the server side. This tool is for testing, learning, and debugging.

Memory cost (KiB) Time cost (iterations) Parallelism Output length (bytes)

Salt (base64, auto-generated)

Password0

Argon2id PHC Hash0

How Argon2id Works

Argon2id is a modern, memory-hard password hashing algorithm. It won the 2015 Password Hashing Competition and combines the features of Argon2i (data-independent memory access) and Argon2d (data-dependent memory access) for both side-channel resistance and GPU attack resistance. It is not encryption.

Parameters

Memory cost (m) controls how much memory is used during hashing, in KiB. Time cost (t) controls the number of passes over memory. Parallelism (p) controls the number of independent threads. Higher values increase security but also computation time and resource usage.

PHC String Format

Argon2id hashes use the Password Hashing Competition (PHC) string format:
$argon2id$v=19$m=65536,t=3,p=4$<salt>$<hash>
This standard format includes all parameters needed for verification.

Browser-Safe Defaults

This tool uses browser-safe defaults (m=65536 KiB ≈ 64 MB, t=3, p=1). Production server settings (e.g. m=65536, t=3, p=4) may differ. Choose production parameters based on current security guidance and your system's performance budget.

Comparison

Argon2id is generally preferred for new systems. scrypt is another memory-hard alternative. Bcrypt is well-established. PBKDF2 is used where compliance matters.

FAQ

Can I decrypt an Argon2id hash?

No. Argon2id is one-way. The password cannot be recovered.

Is it safe to paste a real password here?

This tool runs in your browser using WASM. Nothing is sent anywhere. Still, avoid real production passwords.

Should I hash passwords in the browser before login?

No. The hash would become the password. Hash on the server side.

What is a salt?

A random value ensuring identical passwords produce different hashes.

Why does the same password produce different hashes?

New random salt each time. Parameters and salt are stored in the PHC hash string.

Which algorithm should I use in production?

Argon2id is generally recommended. Follow current security guidance and choose parameters based on your server performance.

Why is hashing slow?

Intentionally. Memory-hard hashing makes large-scale attacks expensive.

What do the parameters mean?

m = memory in KiB, t = time passes, p = parallelism. Higher values = stronger but slower.