Protect credentials with secure hashing like Argon2
Argon2id, per-user salt and split-salt architecture: how to make credential theft economically worthless to an attacker.
Quick answer
To protect user credentials with a secure hashing algorithm like Argon2 you store not the password but its hash, computed with Argon2id — the OWASP-recommended variant — using a unique per-user salt and cost parameters (memory, iterations, parallelism) tuned to make brute-forcing economically unsustainable. Argon2 is memory-hard: it forces the attacker to use large amounts of memory, neutralizing the massive GPU and ASIC attacks that plague older algorithms. LoginMaster protects credentials with Argon2 and a split-salt scheme that distributes cryptographic components across multiple entities: no single component — not even the provider — holds the information needed to reconstruct the original credential.
The principles that matter
Memory-hard by design
Argon2 requires substantial memory for each hash computation. This defeats parallel GPU and ASIC attacks, which excel at computation but are constrained by available memory.
Argon2id: the recommended variant
Argon2id combines the side-channel resistance of Argon2i with the GPU-cracking resistance of Argon2d. It is OWASP's first choice for password storage.
Unique per-user salt
Each credential uses a different salt: two users with the same password produce different hashes. This defeats rainbow tables and prevents attacking many accounts with a single effort.
Split-salt: no single point
LoginMaster goes beyond the classic salt: cryptographic components are separated across multiple entities (Tenant and Cloud). A breach of any single store does not provide enough information to reconstruct credentials.
Argon2 vs other algorithms
Which hashing algorithm to choose for passwords, in one table.
| Algorithm | Memory-hard | GPU/ASIC resistance | Recommendation |
|---|---|---|---|
| Argon2id | Yes | High | OWASP: first choice |
| scrypt | Yes | Medium-high | Good alternative |
| bcrypt | No (fixed, limited memory) | Medium | Acceptable, now legacy |
| PBKDF2 | No | Low | Only where required (e.g. FIPS) |
| MD5 / SHA-1 / SHA-256 (plain) | No | None | Never for passwords |
Frequently asked questions
Argon2 won the Password Hashing Competition in 2015 and is memory-hard: it forces the attacker to use a lot of memory per attempt, defeating the massive GPU and ASIC attacks that make brute-forcing bcrypt or PBKDF2 cheap. With adequate cost parameters, trying billions of passwords becomes prohibitive.
For new systems, Argon2id is OWASP's recommended choice because it is memory-hard and more resistant to cracking on specialized hardware. bcrypt remains acceptable and widely used, but its fixed, limited memory makes it less robust against modern parallel attacks. LoginMaster uses Argon2.
It is the hybrid variant of Argon2 that combines Argon2i (resistant to side-channel attacks based on memory-access timing) and Argon2d (resistant to GPU cracking). OWASP lists it as the first choice for password storage, with memory, iteration and parallelism parameters to be tuned to the hardware.
LoginMaster hashes credentials with Argon2 and applies a split-salt scheme that distributes cryptographic components between the customer's Tenant and the Cloud. The Cloud never contains readable personal data and no single store holds the information needed to reconstruct the password: not even the provider can access credentials.
With traditional hashing, salt and hash live in the same database: whoever breaches it has everything needed for an offline attack. With split-salt the components are separated across multiple entities, so breaching a single store is not enough. It is defense in depth on top of Argon2.
You don't need to. By delegating authentication to LoginMaster, Argon2 hashing, salt management, cost parameters and algorithm rotation are handled by the platform and kept up to date with NIST/OWASP recommendations. Your application only receives a signed token and never stores passwords.
Stop managing passwords yourself
Let LoginMaster handle Argon2 hashing, salt management and algorithm rotation. You only receive signed tokens.