New time-to-crack research shows Argon2 raises the cost of offline cracking but cannot stop stolen or reused passwords, as Specops adds more than 60 million newly compromised passwords to its Breached Password Protection service
STOCKHOLM, Sweden, 17 July 2026: Specops Software, an Outpost24 company, has published research on July 16 on how the hardened algorithm Argon2 resists modern cracking hardware. The testing found that Argon2id was far slower to crack than SHA256 on the same equipment, confirming its strength as a memory-hard algorithm. It also found that a low-cost server could match or beat a high-end graphics rig, showing stronger hashing raises costs without removing risk.
Argon2, winner of the 2015 Password Hashing Competition, is designed to be memory-hard, which limits the advantage attackers gain from powerful GPUs. The research focused on Argon2id, its recommended general-purpose variant, tested on a rig of eight Nvidia RTX 5090 graphics cards. Cloud providers rent comparable hardware for around five dollars an hour, and the team also tested a single AMD EPYC server processor. The results showed that Argon2id sharply limits the advantage attackers gain from newer, more powerful GPUs.
Argon2id achieved a hashrate of just 490 hashes per second, compared with 221 billion for SHA256, making it approximately 451 million times slower to crack on the same hardware. Put into practical terms, a password that takes one second to crack when hashed with SHA256 would take more than 14 years with Argon2id. On a GPU rig alone, brute forcing a strong, random password becomes effectively unrealistic. Yet the tool mdxfind reached 730 hashes per second on an AMD EPYC CPU costing about 2,100 dollars, outpacing the eight-card GPU rig. That shows determined attackers can still recover some hashes.
That protection still has clear limits in the real world. Argon2 does nothing for a password an attacker already holds from a prior breach, a phishing attack, or an infostealer infection. Weak or predictable passwords can still be guessed, which is why strong hashing belongs inside a wider strategy, not a replacement for it. To raise the cost further, the research recommends a minimum password length of 15 characters.
“Argon2 is a real step forward that makes brute forcing far more expensive than older algorithms,” said Darren James, Senior Product Manager at Specops Software. “But harder is not the same as impossible, and no hashing algorithm can protect a password an attacker already has. Strong hashing needs to be combined with policies that prevent weak, predictable and already-compromised passwords from being used.”
The research coincides with the latest update to the Specops Breached Password Protection service, which helps organizations block exposed credentials across Active Directory. That update adds more than 60 million newly compromised passwords, gathered from Specops’ honeypot network and threat intelligence sources. The service continuously checks passwords against known breached credentials, helping organizations identify exposed passwords and prompt users to change them before they are used against the business.