Argon2id class abstract

Argon2id (RFC 9106) memory-hard password hashing function.

Argon2 is known for winning Password Hashing Competition 2015. OWASP Password Storage Cheat Sheet describes it as first choice for password hashing.

The default implementation is DartArgon2id, our pure Dart implementation.

Things to know

• You need to choose:
  • memory
    • Number of 1kB blocks of memory needed to compute the hash.
    • Higher is better for security. You should experiment what is good for your system. We recommend to start from 1000 (= 1 MB) and go as high as you can.
  • parallelism
    • Maximum number of parallel computations.
    • You should choose a small number such as 1 or 4.
  • iterations
    • Number of iterations. Higher is better for security, but usually you should use value 1 because it makes more sense (from security point of view) to raise memory parameter instead.
  • hashLength
    • The value should be at least 16 bytes. More than 32 bytes is unnecessary from security point of view.
• OWASP suggests the following parameter values:
  • memory = 19 MiB of memory
  • parallelism = 1
  • iterations = 2

Example

import 'package:cryptography/cryptography.dart';

Future<void> main() async {
  final algorithm = Argon2id(
    parallelism: 4,
    memory: 10000, // 10 000 x 1kB block = 10 MB
    iterations: 3,
    hashLength: 32,
  );

  final newSecretKey = await algorithm.deriveKey(
    secretKey: SecretKey([1,2,3]),
    nonce: [4,5,6],
  );
  final newSecretKeyBytes = await newSecretKey.extractBytes();

  print('hashed password: $newSecretKeyBytes');
}

In need of synchronous APIs?

If you need to perform operations synchronously, use DartArgon2id in package:cryptography/dart.dart.