Using Argon2 Secure Hashes

Intro

Using the Argon2 hashing algorithm requires a little different workflow for creating and validating the users using Security Provider. In this tutorial we will show you what’s different and how to create users in your database and validate them on login.

You already know how to create a login system, so we won’t show the whole workflow again, as it’s the same. If you don’t know how how to do this, please check: Security and Login

Hashing Users’ Passwords

Before we insert the users login details in the database we need to hash their password.
We created a server action which will insert this data in the database. Right click execute:

Add a new step. Select Cryptographic > Password Hash

Then click the dynamic data picker for the Password:

This is the password input, under the $_POST variables, which we receive from the form on the registration page. Click Select:

Then select the hashing algorithm. We select Argon2id:

And you are done, now you have the password hashed and we can insert it in the database.

Storing Users Login Data in the Database

When creating the users in your database you need to store their hashed password there. For storing the hashed passwords in your database we recommend using a varchar(255) database field.

Right click the Password Hash step:

And add a new action:

Under Database Actions select Database Insert:

And click the Insert Options button:

Select the database table, where you want to store your users login details:

And click the dynamic data picker for the password field value:

Here, we need to select the Password Hash step as it returns the hashed password which we need to store in the database:

Click OK:

And you are done.

And you are done. The password passed by the password input will be stored in the database hashed with the Argon2id algorithm.

Validate Users with Security Provider

Once you have your users’ passwords hashed and stored in the database, under Globals > Security Providers setup your Security Provider as usual:

Select the users table, identity, username and password fields. Click OK:

The difference with Argon2 hashing is that you need to enable the Use Password Hash Verify option:

Then open your login server action:

Add a new action:

And add your login step as usual:

Select your username and password inputs here.
Note: you should not apply any formatting for the password input value:

And you are done. These are the specific things in creating users and verifying them on login using the Argon2 hashing algorithm.

6 Likes

Hello and thank you for this Teodor !

I like the point and click implementation.
Unless I’m mistaken, I don’t see a way to pass my salt as an input with this method though.

This is what I did with my SHA implementation (salt + hash) :

Would that make sense to salt the hash as well with argon2 for highly sensitive apps ?
If yes, how could we achieve this ? :slight_smile:

Thank you for your help !

With the Argon2 algorithm you don’t have to pass salt. It generates its own salt each time it runs. That is one of its straights.

2 Likes

Awesome, thank you George ! :slight_smile:

If you want to know the hash and salt here you are:

1 Like

Yes, that’s what I understood when digging into the subject after George’s answer.
Thank you guys! :wink:
Got it to work.


In case someone runs into this issue : Use of undefined constant PASSWORD_ARGON2ID - assumed ‘PASSWORD_ARGON2ID’ (this will throw an Error in a future version of PHP)

Try upgrading php version to 7.4
Here is a topic with more informations to help : https://github.com/laravel/framework/issues/29815

1 Like

Hi,

I have updated to the latest version and still dont see the option.


image

I have uninstalled and reinstalled twice.

Is there any reason I would not see the Cryptographic option?

Thanks
Ray

Perhaps you are not using PHP? I recall seeing a notice saying this is implemented on PHP only for now.

1 Like

Yes Argon2 password hashes are php only

@mebeingken, thanks. I would say that’s exactly why it’s not showing. Thanks!

1 Like

i have created same way for register and login pages, i did succeed with register page that is creating the user with password hashed using argon2id, but when i’m trying to login it does not works… throws 401 unauthorised error. but i can see the user in database.

is there anything else causing this issue?

Because Argon is only for PHP what would be the safest way to deal with password in node ?

https://www.npmjs.com/package/argon2 looks like there is a npm for argon2… will this be added to wappler?? @George @Teodor

Argon2 is now available for NodeJS as well.
Also - the documentation has been updated now - the workflow shown applies for both PHP and NodeJS.

1 Like