Memory-hard password hash and proof-of-work function

Latest on Hackage:

This package is not currently in any snapshots. If you're interested in using it, we recommend adding it to Stackage Nightly. Doing so will make builds more reliable, and allow to host generated Haddocks.

BSD3 licensed by Ollie Charles, Herbert Valerio Riedel

Argon2 is the key derivation function (KDF) selected as the winner of the Password Hashing Competition. The API exposed by this bindings provide access to the 3 specified variants

  • Argon2d (maximize resistance to GPU cracking attacks),

  • Argon2i (optimized to resist side-channel attacks), and

  • Argon2id (hybrid version combining Argon2d and Argon2i)

and allows to control various parameters (time cost, memory cost, parallelism) of the Argon2 function. Moreover, it is also supported to generate and verify the deprecated version 1.0 hashes, as well as the current version 1.3 hashes.

The Haskell API supports both raw binary hashes as well as the ASCII-based PHC string format.

This version provides bindings to the "20171227" release of the Argon2 reference implementation (libargon2) of the Argon2 password-hashing function.

Please refer to the Argon2 specification for more information.


  • Fix pkgconfig-depends decleration for @use-system-library@ configuration; also add new pkg-config flag for falling back to non-pkg-config-based FFI library linkage.

  • This represents a major rewrite/refactoring of this package.

  • Add support for generating version 1.0 hashes.

  • Add support for controlling length of generated hash.

  • Add support for hybrid Argon2id variant.

  • Add NFData instances.

  • Defaults in defaultHashOptions changed to the current ones from the upstream argon2 executable.

  • Replace Argon2Exception by more direct Argon2Status enumeration; report failures purely via Either rather than by throwing as exceptions.

  • Rename verify to verifyEncoded and return more informative Argon2Status result instead of Bool.

  • Embedded phc-winner-argon2 version updated to release 20171227.

  • Mangle names of global symbols from phc-winner-argon2 to reduce risk of symbol clashes at the C ABI level.

  • Add support for libargon2's optimised C routines on x86_64 (can be disabled via new non-optimised-c cabal flag).

  • Fix potential memory leak.


  • Updated embedded phc-winner-argon2, so that hashes are generated using version 1.3 of the argon2 specification.

    Note that that hashes generated using this version are different than hashes generated using previous versions, so anything that compares them or relies on them being stable may be broken by this update. However, Crypto.Argon2.verify will continue to be able to verify hashes produced by previous versions.

  • Use CSize for portability instead of Word64, fixing build on 32 bit systems. This changed the constructors of Argon2Exception, an API change.

  • Bug fix: Crypto.Argon2.hash returned a ByteString truncated at the first NULL.

  • Added use-system-library build flag.

  • Build against base-4.9


  • First stable release. Same API as 1.0.0, but now features documentation and expected type class instances for data types.

  • QuickCheck properties added:

    1. verify (hashEncoded options password salt) password == True
    2. hash options password salt /= password
  • hash now uses the underlying "raw" hash routines, rather than the encoded routines. This was a bug in 1.0.0. Thanks to @jorgen for this fix.

  • verify added, in order to correctly verify that a password matches an encoded password.

  • defaultHashOptions are now more expensive.


  • Initial release
Depends on 4 packages:
Used by 1 package:
comments powered byDisqus