New research finds Argon2 sharply raises the cost of offline password cracking, but stronger hashing alone cannot remove the risk.

Specops Software, an Outpost24 company, has published research testing how the hardened algorithm Argon2 resists modern cracking hardware. The testing found Argon2id, the algorithm’s recommended general-purpose variant, was far slower to crack than SHA256 on the same equipment, confirming its strength as a memory-hard algorithm designed to limit the advantage attackers gain from powerful GPUs.

Argon2, winner of the 2015 Password Hashing Competition, was tested on a rig of eight Nvidia RTX 5090 graphics cards, hardware that cloud providers rent for around five dollars an hour, alongside a single AMD EPYC server processor.

Argon2id achieved a hashrate of just 490 hashes per second, compared with 221 billion for SHA256, making it roughly 451 million times slower to crack on the same hardware. In practical terms, a password crackable in one second when hashed with SHA256 would take more than 14 years with Argon2id, making brute-forcing a strong, random password effectively unrealistic on a GPU rig alone.

However, the tool mdxfind reached 730 hashes per second on an AMD EPYC CPU costing about $2,100, outpacing the eight-card GPU rig entirely. The finding shows a low-cost server can match or beat high-end graphics hardware, and that determined attackers can still recover some hashes even against Argon2.

More importantly, the research notes that Argon2 does nothing to protect a password that an attacker already holds from a prior breach, a phishing attack, or an infostealer infection, and recommends a minimum password length of 15 characters to raise the cost of cracking further.

Darren James, Senior Product Manager at Specops Software, said: “Strong hashing needs to be combined with policies that prevent weak, predictable and already-compromised passwords from being used.”

The research coincides with the latest update to Specops’ Breached Password Protection service, which helps organisations block exposed credentials across Active Directory.

Stay updated on crypto and AI by following our socials.

Leave a Reply

Your email address will not be published. Required fields are marked *

Instagram