Tune Argon2id parameters (m, t, p) interactively, measure hash latency in your browser, see how many years it survives an RTX 4090 attack. Pick production KDF settings with numbers, not vibes.
argon2 · kdf · password-hashing · owasp
"Argon2id is memory-hard and GPU-resistant" — fine, but how much memory, how many iterations, how much parallelism? What's behind OWASP's m=65536, t=3, p=4 recommendation? This lab lets you drag parameters, measure latency, and project survival time against real RTX 4090 attacker throughput.
Tarayıcı notu: SubtleCrypto'da Argon2 yoktur. Gecikme ölçümü için PBKDF2-SHA-512 kullanılır. Crack-time projeksiyonları gerçek Argon2id benchmark'larına dayanır.
m artışı GPU bellek sınırını aşar → paralel saldırı sayısı düşer. t artışı doğrusal yavaşlatır. p CPU thread'lerini etkiler, GPU saldırısını azaltmaz.
| Param | Effect | OWASP min | OWASP rec |
|---|---|---|---|
| m (memory, KiB) | GPU memory ceiling → parallel attacks shrink | 19456 (19 MiB) | 65536 (64 MiB) |
| t (iterations) | Linear slowdown | 2 | 3 |
| p (parallelism) | Server thread count | 1 | 4 |
Aim for 500ms target latency server-side. Login is a single password hash; 500ms doesn't annoy users but ruins attackers:
CPU-bound: run inside a Node.js worker thread to avoid blocking the event loop. @node-rs/argon2 or the native argon2 package is recommended.
This lab doesn't run real Argon2id — SubtleCrypto has no Argon2 implementation. Latency uses PBKDF2-SHA-512 as a stand-in. Crack-time projections come from real Argon2id benchmarks (academic papers + community 2024).