For a new application, which password hashing choice and configuration best reflects current OWASP guidance?
- 1SHA-256 with a per-user salt — fast and FIPS-approved
- 2Argon2id tuned for memory/iterations/parallelism (e.g. 19 MiB, t=2, p=1 as a minimum), with a per-user salt✓ correct
- 3bcrypt with an unlimited-length password and no work-factor tuning
- 4MD5 with a long random pepper
Argon2id is OWASP's preferred algorithm — it's memory-hard, resisting both GPU and side-channel attacks, and is tuned via three parameters: memory cost, iterations (time cost), and parallelism (OWASP's minimum baseline is ~19 MiB, t=2, p=1, tuned up to your latency budget). bcrypt and scrypt are acceptable, but bcrypt silently truncates input at 72 bytes (so pre-hash long/binary passwords) and isn't memory-hard like Argon2id/scrypt. Fast general-purpose hashes (SHA-256, MD5) are wrong regardless of salt because they're cheap to brute-force at scale. A pepper (a secret added separately, kept in an HSM/secrets manager, not in the DB) is a useful defense-in-depth layer on top — but never a substitute for a slow hash. Salts only prevent precomputation/rainbow tables; they don't slow brute force.
Argon2id is the first-choice modern password hash; bcrypt remains acceptable but caps input at 72 bytes; fast hashes like SHA-256 must never be used directly for passwords.