Argon2.

Argon2 is a memory-hard key derivation and password hashing function designed by Biryukov, Dinu and Khovratovich, selected as the winner of the 2015 Password Hashing Competition and standardised in RFC 9106. It comes in three variants: Argon2d (data-dependent indexing, fastest, but with memory-access patterns that depend on the secret and so leak via side channels), Argon2i (data-independent, side-channel resistant but weaker against time-memory trade-off attacks) and the recommended Argon2id (a hybrid that uses Argon2i indexing for the first half of the first pass and Argon2d thereafter).

Its security comes from filling a large block of memory that must be retained throughout the computation. This memory-hardness is the key advantage over older schemes: a GPU or ASIC cracker can run thousands of cheap parallel hash cores, but it cannot cheaply give each core hundreds of mebibytes of fast RAM, so Argon2 raises the per-guess cost far more than PBKDF2 or even bcrypt (which uses only ~4 KiB). Tunable parameters are memory cost (m), time/iterations (t), parallelism (p) and output length.

RFC 9106 recommends two profiles: a high-memory option of m=2 GiB, t=1, p=4, and a memory-constrained option of m=64 MiB, t=3, p=4. The OWASP Password Storage Cheat Sheet gives a conservative web-server baseline of Argon2id, m=19456 (19 MiB), t=2, p=1. Always combine Argon2 with a unique random salt per password, and tune parameters to your latency budget.

flowchart LR
  P[Password] --> H[Argon2id]
  S[Unique random salt] --> H
  PARAMS[m memory cost<br/>t iterations<br/>p parallelism] --> H
  H --> MEM[Fill large memory block<br/>memory-hard]
  MEM --> O[Derived hash / key]
  MEM -. raises cost .-> GPU[GPU/ASIC cracking<br/>becomes expensive]