Evaluating Argon2 Adoption and Effectiveness in Real-World Software

TL;DR

This work tackles the gap between Argon2’s theoretical security and its real-world effectiveness by jointly evaluating parameter configurations and adoption. It combines attack simulations that model attacker budgets with an empirical study of Argon2 deployment across public GitHub repositories, including manual parameter extraction. Key findings show that OWASP’s 46 MiB configuration provides limited protection relative to RFC 9106’s 2048 MiB, and that both configurations fail to mitigate weak passwords, underscoring the central role of user credential quality. The study also reveals accelerating Argon2 adoption but widespread suboptimal parameterization, highlighting the need for better parameter guidance, library defaults, and developer education to realize Argon2’s practical security advantages.

Abstract

Modern password hashing remains a critical defense against credential cracking, yet the transition from theoretically secure algorithms to robust real-world implementations remains fraught with challenges. This paper presents a dual analysis of Argon2, the Password Hashing Competition winner, combining attack simulations quantifying how parameter configurations impact guessing costs under realistic budgets, with the first large-scale empirical study of Argon2 adoption across public GitHub software repositories. Our economic model, validated against cryptocurrency mining benchmarks, demonstrates that OWASP's recommended 46 MiB configuration reduces compromise rates by 42.5% compared to SHA-256 at \$1/account attack budgets for strong user passwords. However, memory-hardness exhibits diminishing returns as increasing allocations to RFC 9106's 2048 MiB provides just 23.3% (\$1) and 17.7% (\$20) additional protection despite 44.5 times greater memory demands. Crucially, both configurations fail to mitigate risks from weak passwords, with 96.9-99.8% compromise rates for RockYou-like credentials regardless of algorithm choice. Our repository analysis shows accelerating Argon2 adoption, yet weak configuration practices: 46.6% of deployments use weaker-than-OWASP parameters. Surprisingly, sensitive applications (password managers, encryption tools) show no stronger configurations than general software. Our findings highlight that a secure algorithm alone cannot ensure security, effective parameter guidance and developer education remain essential for realizing Argon2's theoretical advantages.

Figures (4)

• Figure 1: Password cracking success rates for the RockYou dataset under $0.1 and $1 budgets for SHA-256 and Argon2 configurations (46 MiB and 2048 MiB).
• Figure 2: Password cracking success rates for the synthetic dataset ($D_{\text{syn}}$) under $1 and $20 budgets for SHA-256 and Argon2 configurations (46 MiB and 2048 MiB).
• Figure 3: Repository search hits for various password hashing algorithms (2008-2024).
• Figure 4: Log-log plot of time cost (t) versus memory cost (m). The size of each blue dot represents the frequency of data points with a specific combination of t and m. The red crosses represent OWASP recommendations, while the purple crosses represent RFC 9106 recommendations. The dashed red line extrapolates OWASP recommendations using a linear regression in log-log space.