Hash Forge organises every supported algorithm into one of four categories —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Zozi96/hash-forge/llms.txt
Use this file to discover all available pages before exploring further.
password, legacy, digest, and deprecated — so the library can enforce safe defaults at every layer. When you configure a HashManager or build a PasswordHashPolicy, Hash Forge uses the category of each algorithm to decide whether it may be used for new hashes, for verification only, or whether it should be rejected outright. Understanding these categories is the fastest way to pick the right algorithm for your project.
Algorithm Categories
password — Memory-hard or deliberately slow functions purpose-built for password storage. These algorithms make brute-force attacks computationally expensive. Hash Forge includes five password-category algorithms:
- Argon2 — winner of the Password Hashing Competition; memory-hard and highly configurable.
- bcrypt — the long-standing industry standard with a work-factor ceiling of 72 bytes per password.
- bcrypt-SHA256 — bcrypt with a SHA-256 pre-digest, lifting the 72-byte password length limit.
- PBKDF2-SHA256 — NIST-approved HMAC-based key derivation; FIPS-friendly.
- Scrypt — memory-hard function from Colin Percival; strong alternative to PBKDF2.
legacy — Older password algorithms that Hash Forge still supports for verification of existing hashes but will refuse to use for creating new ones (unless the algorithm is explicitly set as preferred_algorithm). This category covers PBKDF2-SHA1 and RIPEMD-160.
digest — Fast cryptographic hash functions appropriate for data integrity checks, content addressing, and MACs. They are not memory-hard and must never be used as standalone password hashers. This category includes Blake2, Blake3, SHA-3 256, and SHA-3 512.
deprecated — Algorithms that Hash Forge retains solely for backward-compatibility verification of old stored hashes. New hashing is blocked by default. Currently this category contains only Whirlpool, whose Hash Forge implementation is backed by SHA-512.
Algorithm Reference
| Algorithm | Type String | Category | Extra Required | Key Parameters |
|---|---|---|---|---|
| PBKDF2-SHA256 | pbkdf2_sha256 | password | None (stdlib) | iterations (≥ 150,000), salt_length |
| PBKDF2-SHA1 | pbkdf2_sha1 | legacy | None (stdlib) | iterations, salt_length |
| bcrypt | bcrypt | password | [bcrypt] | rounds (≥ 12) |
| bcrypt-SHA256 | bcrypt_sha256 | password | [bcrypt] | rounds (≥ 12) |
| Argon2 | argon2 | password | [argon2] | time_cost, memory_cost, parallelism, hash_len |
| Scrypt | scrypt | password | None (stdlib) | work_factor, block_size, parallelism |
| Blake2 | blake2 | digest | None (stdlib) | key, digest_size |
| Blake3 | blake3 | digest | [blake3] | none |
| SHA-3 256 | sha3_256 | digest | None (stdlib) | salt_length |
| SHA-3 512 | sha3_512 | digest | None (stdlib) | salt_length |
| RIPEMD-160 | ripemd160 | legacy | [crypto] | none |
| Whirlpool | whirlpool | deprecated | [crypto] | allow_legacy_verify, allow_legacy_hashing |
Security Recommendations
Migrating from bcrypt — use the builder API to setargon2 as preferred and retain bcrypt (or bcrypt_sha256) as a fallback so existing hashes can still be verified while new hashes are issued with Argon2:
Explore Further
Password Hashing Algorithms
Detailed reference for Argon2, bcrypt, bcrypt-SHA256, PBKDF2, and Scrypt — including constructor parameters, security minimums, hash formats, and usage examples.
Digest Hashing Algorithms
Reference for Blake2, Blake3, SHA-3 256/512, RIPEMD-160, and the deprecated Whirlpool hasher.
