Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Zozi96/hash-forge/llms.txt

Use this file to discover all available pages before exploring further.

Hash Forge organises every supported algorithm into one of four categories — password, legacy, digest, and deprecated — so the library can enforce safe defaults at every layer. When you configure a HashManager or build a PasswordHashPolicy, Hash Forge uses the category of each algorithm to decide whether it may be used for new hashes, for verification only, or whether it should be rejected outright. Understanding these categories is the fastest way to pick the right algorithm for your project.

Algorithm Categories

password — Memory-hard or deliberately slow functions purpose-built for password storage. These algorithms make brute-force attacks computationally expensive. Hash Forge includes five password-category algorithms:
  • Argon2 — winner of the Password Hashing Competition; memory-hard and highly configurable.
  • bcrypt — the long-standing industry standard with a work-factor ceiling of 72 bytes per password.
  • bcrypt-SHA256 — bcrypt with a SHA-256 pre-digest, lifting the 72-byte password length limit.
  • PBKDF2-SHA256 — NIST-approved HMAC-based key derivation; FIPS-friendly.
  • Scrypt — memory-hard function from Colin Percival; strong alternative to PBKDF2.
legacy — Older password algorithms that Hash Forge still supports for verification of existing hashes but will refuse to use for creating new ones (unless the algorithm is explicitly set as preferred_algorithm). This category covers PBKDF2-SHA1 and RIPEMD-160. digest — Fast cryptographic hash functions appropriate for data integrity checks, content addressing, and MACs. They are not memory-hard and must never be used as standalone password hashers. This category includes Blake2, Blake3, SHA-3 256, and SHA-3 512. deprecated — Algorithms that Hash Forge retains solely for backward-compatibility verification of old stored hashes. New hashing is blocked by default. Currently this category contains only Whirlpool, whose Hash Forge implementation is backed by SHA-512.

Algorithm Reference

AlgorithmType StringCategoryExtra RequiredKey Parameters
PBKDF2-SHA256pbkdf2_sha256passwordNone (stdlib)iterations (≥ 150,000), salt_length
PBKDF2-SHA1pbkdf2_sha1legacyNone (stdlib)iterations, salt_length
bcryptbcryptpassword[bcrypt]rounds (≥ 12)
bcrypt-SHA256bcrypt_sha256password[bcrypt]rounds (≥ 12)
Argon2argon2password[argon2]time_cost, memory_cost, parallelism, hash_len
ScryptscryptpasswordNone (stdlib)work_factor, block_size, parallelism
Blake2blake2digestNone (stdlib)key, digest_size
Blake3blake3digest[blake3]none
SHA-3 256sha3_256digestNone (stdlib)salt_length
SHA-3 512sha3_512digestNone (stdlib)salt_length
RIPEMD-160ripemd160legacy[crypto]none
Whirlpoolwhirlpooldeprecated[crypto]allow_legacy_verify, allow_legacy_hashing
Install optional extras only for the algorithms you use:
pip install "hash-forge[argon2]"   # Argon2
pip install "hash-forge[bcrypt]"   # bcrypt / bcrypt-SHA256
pip install "hash-forge[blake3]"   # Blake3
pip install "hash-forge[crypto]"   # RIPEMD-160, Whirlpool

Security Recommendations

New projects should use argon2 as the preferred algorithm. It is memory-hard, tunable, and was purpose-designed for password hashing. For FIPS environments where only NIST-approved primitives are permitted, use pbkdf2_sha256 with at least 600,000 iterations.
Migrating from bcrypt — use the builder API to set argon2 as preferred and retain bcrypt (or bcrypt_sha256) as a fallback so existing hashes can still be verified while new hashes are issued with Argon2:
from hash_forge import HashManager

hash_manager = (
    HashManager.builder()
    .with_algorithm("argon2", time_cost=3, memory_cost=65536)
    .with_algorithm("bcrypt", rounds=12)
    .with_preferred("argon2")
    .build()
)
Do not use whirlpool for new hashes. The Hash Forge implementation is backed by SHA-512 (not a true Whirlpool implementation) and is present only for verification of old stored hashes. WhirlpoolHasher raises a DeprecationWarning on every instantiation and blocks hash() calls unless allow_legacy_hashing=True is explicitly passed.
Digest algorithms — Blake2, Blake3, SHA-3 256, and SHA-3 512 — are fast by design and provide no resistance to GPU-accelerated brute-force attacks. Never use them as your sole mechanism for storing passwords. If you need to hash passwords, use one of the password-category algorithms above.

Explore Further

Password Hashing Algorithms

Detailed reference for Argon2, bcrypt, bcrypt-SHA256, PBKDF2, and Scrypt — including constructor parameters, security minimums, hash formats, and usage examples.

Digest Hashing Algorithms

Reference for Blake2, Blake3, SHA-3 256/512, RIPEMD-160, and the deprecated Whirlpool hasher.

Build docs developers (and LLMs) love