Storing passwords securely is an ever-changing game. For the past few years (2013 -> 2015), Jean-Philippe Aumasson has been running a world-renowned Password Hashing Competition in which security researchers submit, validate, and vet the best password hashing algorithms.

Just recently, the competition wrapped up, naming Argon2 king of the hashing algorithms.

This is good news for any web developer out there: you can now use the Argon2 algorithm to more securely store your user’s passwords!

Today I’m going to show you how you can easily hash your user’s passwords using the Argon2 algorithm, and introduce you to some best practices.

Argon2 Recommendation

In the crypto community, standards are created by holding open competitions in which researchers analyze various cryptographic algorithms, slowly looking for faults, weeding out the weaker submissions.

This is how Argon2 (pdf) was born.

The Password Hashing Competition yielded 24 separate hashing algorithm submissions, which was eventually pruned down to 9 finalists, out of which Argon2 was named the winner.

What does this mean for normal web developers? If you’re starting a new project, or looking to improve security on an existing project, you should immediately start using the Argon2 hashing algorithm to securely store all of your user passwords.

If you’re into C, you can look at the reference Argon2 implementation on Github here:

Using Argon2 in Node.js

As of just a few weeks ago, you can now get started using Argon2 in Node, thanks to efforts by Ranieri Althoff.

First up, you need to install the argon2 npm package. This requires you have GCC >= 4.8 installed. If you don’t have GCC >= 4.8 already, and you’re using OSX, you can install it like so:

Next, you need to install (globally) the node-gyp library — this is required as it allows the argon2 library to use the underlying C implementation of the Argon password hashing implementation to function:

Finally, you can install argon2 from NPM by running:

Once this is done, you need to ensure your project is a Git repository — this is required because of the way the underlying Argon2 library is being used. To ensure you’re in a Git repository, you can run the following command:

Next up, you’ll need to import the argon library:

Now, let’s say you receive a password from a user and want to securely hash the password for storage in a database system, you can do this using the hash method:

NOTE: We’ll also let the argon2 library generate the cryptographic salt for
us as well in a secure fashion.

Now, after you’ve stored a user’s Argon2 hash, how can you log a user in using
the plain text password to verify it is correct? Using the verify method, of

And that’s pretty much it, easy right?!


If you’re building new webapps, you should check out the NPM argon2 module for securely hashing your user passwords. It’s the new recommended password hashing algorithm, so don’t be afraid to get your hands dirty!

Also: if you’re looking for a service that makes creating users and storing user data really simple and secure, be sure to go sign up for Stormpath! We’re free to use, and provide all sorts of awesome features, including transparent password hashing upgrades, secure user data data storage, and lots more.

We even have an amazingly simple and powerful express library that makes building secure websites and API services a few lines of code =)