Is Argon2 actually the best algorithm for password hashing?

[CViniciusSDias]

Recently I brought up the discussion about using Argon2id as the default password hashing algorithm in PHP: https://externals.io/message/120993

This lead to a person (who was one of the people in the experts panel for the Password Hashing Competition) mentioning that Bcrypt is actually more secure than Argon2id for password hashing:

1. https://twitter.com/TerahashCorp/status/1155119064248913920
2. https://twitter.com/TerahashCorp/status/1155129705034653698

Is this being considered by libsodium?

[samuel-lucas6]

On slide 21 of this presentation Frank mentions that Argon2 is worse than bcrypt for some parameters, demonstrating he's well aware of this. In fact, if you look at the roadmap, you'll see that bscrypt has been listed as a consideration, which is meant to be an improvement on bcrypt and is also by someone on the PHC panel.

bcrypt has numerous implementation issues and is also not a KDF, so then you need separate algorithms for password hashing and password-based key derivation. Furthermore, Argon2 is far from bad, has received academic attention, is widely supported/recommended, and is more flexible than bcrypt.

Most importantly, by using any password hashing algorithm you'll already be doing better than a lot of companies based on breaches. Whilst using the best algorithm would be ideal, it's not that important compared to having strong passwords.