Using Argon2 Secure Hashes

Using the Argon2 hashing algorithm requires a little different workflow for creating and validating the users using Security Provider. In this tutorial we will show you what’s different and how to create users in your database and validate them on login.

You already know how to create a login system, so we won’t show the whole workflow again, as it’s the same. If you don’t know how how to do this, please check: Security and Login

Creating Users in the Database

When creating the users in your database you need to store their hashed password there. For storing the hashed passwords in your database we recommend using a varchar(255) database field.

In the insert record step, where you insert the users in the database, double click the value for the Password column and click the dynamic data picker button:

Select the password input and click the data formatter icon:

Open Cryptographic and then select Password Hash:

Select the hashing algorithm. We select Argon2id:

Click Select:

And click Select to apply the formatting:

And you are done. The password passed by the password input will be stored in the database hashed with the Argon2id algorithm:

Validate Users with Security Provider

Once you have your users’ passwords hashed and stored in the database, open your login server action. Add a Security Provider step and set it up, as usual:

Select the users table, identity, username and password fields. Click OK:

The difference with Argon2 hashing is that you need to enable the Use Password Hash Verify option:

Then add your login step as usual:

And select your username and password inputs here. Note: you should not apply any formatting for the password input value:

And you are done. These are the specific things in creating users and verifying them on login using the Argon2 hashing algorithm.

2 Likes

Hello and thank you for this Teodor !

I like the point and click implementation.
Unless I’m mistaken, I don’t see a way to pass my salt as an input with this method though.

This is what I did with my SHA implementation (salt + hash) :

Would that make sense to salt the hash as well with argon2 for highly sensitive apps ?
If yes, how could we achieve this ? :slight_smile:

Thank you for your help !

With the Argon2 algorithm you don’t have to pass salt. It generates its own salt each time it runs. That is one of its straights.

2 Likes

Awesome, thank you George ! :slight_smile:

If you want to know the hash and salt here you are:

1 Like

Yes, that’s what I understood when digging into the subject after George’s answer.
Thank you guys! :wink:
Got it to work.


In case someone runs into this issue : Use of undefined constant PASSWORD_ARGON2ID - assumed ‘PASSWORD_ARGON2ID’ (this will throw an Error in a future version of PHP)

Try upgrading php version to 7.4
Here is a topic with more informations to help : https://github.com/laravel/framework/issues/29815

1 Like

Hi,

I have updated to the latest version and still dont see the option.


image

I have uninstalled and reinstalled twice.

Is there any reason I would not see the Cryptographic option?

Thanks
Ray

Perhaps you are not using PHP? I recall seeing a notice saying this is implemented on PHP only for now.

1 Like

Yes Argon2 password hashes are php only

@mebeingken, thanks. I would say that’s exactly why it’s not showing. Thanks!

1 Like

i have created same way for register and login pages, i did succeed with register page that is creating the user with password hashed using argon2id, but when i’m trying to login it does not works… throws 401 unauthorised error. but i can see the user in database.

is there anything else causing this issue?

Because Argon is only for PHP what would be the safest way to deal with password in node ?

https://www.npmjs.com/package/argon2 looks like there is a npm for argon2… will this be added to wappler?? @George @Teodor