Rust password hashing functions: Argon2, scrypt, PBKDF2

2 jph 4 6/10/2025, 11:33:54 AM

I'm evaluating Rust password hashing functions, specifically Argon2, scrypt, PBKDF2. I'm using the RustCrypto open source implementations. I have three simple demos in case you want to try these yourself:

* https://github.com/joelparkerhenderson/demo-rust-argon2

* https://github.com/joelparkerhenderson/demo-rust-scrypt

* https://github.com/joelparkerhenderson/demo-rust-pbkdf2

I'm seeking advice please, such as pros and cons. The context is medical software where hashing is on generally modern machines. I'm aware of the OWASP recommendations which seem broadly helpful. Thanks!

Comments (4)

cpach · 1d ago

'tptacek has written about this earlier on HN. See https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

For comparison, see also the section named Password handling in Cryptographic Right Answers: Post Quantum Edition https://www.latacora.com/blog/2024/07/29/crypto-right-answer...

stop50 · 2d ago

The first two are good enough, but shouldn't be the only protection. In general salts (adding an per password random string to the raw password) and pepper(addding an random string that is shared across the application) should be added.

Pbkdf2 is quite old and has an attack vector from ASICs and FPGA, but is still quite widespread for applications and protocols.

dandelion9 · 1d ago

Of those, scrypt or argon2id. PBKDF2 is for FIPS compliance.

tptacek · 1d ago

Honestly, throw a dart. I think the right way to think about PBKDF2 vs. Argon2[†] is that Argon2 reaches better levels of security with less cost to "real users" (ie, genuine login attempt latency). It would be a little weird to deliberately select PBKDF2 for a new application today? It would not be among your top 5 security concerns though.

[†] Really, "PBKDF2 vs. any modern password hash".