[sarciszewski]

> Is it too early to be suggesting Argon2?

Most environments don't have an implementation for it yet, and the ones that do will probably only get it through libsodium for the first few years.

> I've not heard of it until now, but the Wikipedia entry[1] shows that the paper was just released late last year.

Argon2 was the winner of the Password Hashing Competition, a several-year cryptography competition to find a new password hashing algorithm that would be secure against an attacker armed with a large GPU cluster.

The judges included a lot of famous cryptographers and security experts. Of particular note: Colin Percival, the author of scrypt, and Jens Steube, the project lead for hashcat.

I've read the paper and I think Argon2 will stand the test of time, but I could (of course) be wrong.

[technion]

    Most environments don't have an implementation for it yet

The speed with which environments actually got implementations of previous secure algorithms was half the problem with their use, but I think Argon2 has this nailed. The README now links bindings for Go, Haskell, JavaScript, JVM, Lua, OCaml, Python, Ruby and Rust.

Disclaimer: I wrote the Ruby one.

https://github.com/P-H-C/phc-winner-argon2

[slavik81]

I don't trust them. The various language bindings are maintained by random people who have gone through no particular vetting, and their code is not formally reviewed by anyone.

When I started looking through the node bindings, I found a number of minor bugs and a critical issue that left ~1% of passwords vulnerable.

I trust that the C developers do a good job, but phc-winner-argon2 does not appear to have ever made a formal release. Is master really always perfect?

It's not ready yet.