MD5 and SHA1 are not password hashing functions. GPU crackers break billions of SHA-256 hashes per second. You need a slow algorithm.
Comparison¶
- Argon2id: OWASP recommended, memory-hard, most secure
- bcrypt: Time-tested, 72B limit
- scrypt: Memory-hard, less commonly used
- PBKDF2: FIPS compatible, but GPU-friendly
Argon2id — Recommended Configuration¶
from argon2 import PasswordHasher ph = PasswordHasher( time_cost=3, # iterations memory_cost=65536, # 64 MB parallelism=4, # threads hash_len=32, salt_len=16, type=argon2.Type.ID # hybrid ) hash = ph.hash(“password”) ph.verify(hash, “password”) # True or VerifyMismatchError
bcrypt¶
import bcrypt hashed = bcrypt.hashpw(b”password”, bcrypt.gensalt(rounds=12)) bcrypt.checkpw(b”password”, hashed) # True
Key Takeaway¶
Argon2id for new projects, bcrypt if you need compatibility. Never MD5, SHA1, SHA256 for passwords.
securitypasswordhashingargon2