Awesome
pyargon2
Simultaneously the simplest and most powerful implementation of Argon2 in Python.
Installation
pip install pyargon2
Please note that for security reasons, pyargon2 does not ship with pre-compiled binaries (Wheels) available on PyPi. This is to ensure that what is shown in this repository is what is installed on target machines. Therefore, during the installation process, the underlying Argon2 C implementation will be compiled from source automatically for your OS and architecture. This will add a short delay to the installation process, but is worthwhile in order to maintain guarantees and verifiability with respect to what is being installed on target machines.
Basic Usage
The hash function supports basic password hashing using the Argon2id variant and mandates password and salt strings. The resulting hash returned is hex encoded.
from pyargon2 import hash
password = 'a strong password'
salt = 'a unique salt'
hex_encoded_hash = hash(password, salt)
The default parameters aim to generate hashes in around 0.5 seconds and are targeted at a machine housing a CPU with 4 cores and at least 4GB of RAM. If timing differs significantly on your machine, adjust the parameters using the advanced options below. Remember password hashing should be slow for security so don't optimise for speed!
Advanced Usage
Function Choices
pyargon2 contains two functions for hashing. Namely, hash
and hash_bytes
. These two functions differ in their input types only.
This is explained in detail in the subsequent sections. To minimise input dependent hashing performance, dynamic type checking is not
used in pyargon2. Instead, dedicated functions are exposed to deal with hashing strings or byte arrays separately. As such, one should
ensure that they hash passwords, salts and peppers of the same type and then pick the corresponding function in pyargon2 as
appropriate.
Function Parameters
The hash
and hash_bytes
functions take in the following parameters:
Positional
- password : A string (or byte array when using
hash_bytes
) representing a password. - salt : A string (or byte array when using
hash_bytes
) representing a unique salt.
Keyword (Optional)
- pepper : A secret string (or byte array when using
hash_bytes
) to fold into the hash of the password. - hash_len : The length in bytes of the resulting hash.
- time_cost : The number of iterations to perform.
- memory_cost : The number of kibibytes in memory to utilise.
- parallelism : The number of independent computations chains (lanes) to run.
- flags : Flags to determine which fields are securely wiped.
- variant : Argon2 algorithm variant ('i', 'd', or 'id').
- version : Argon2 algorithm version number.
- encoding : Encoding for the returned hash type ('raw', 'hex' or 'b64').
For assistance with parameter selection refer to RFC 9106, in particular "Chapter 4: Parameter Choice".
Function Exceptions
Exceptions generated by the underlying Argon2 hashing function are raised under the Argon2Error
class which can be imported as follows:
from pyargon2 import Argon2Error