Argon2 Hash Verification | Compare a Password Against an Encoded Hash
Enter a password and an existing Argon2 encoded hash ($argon2id$...) to check whether they match. All computation happens in your browser, and nothing is ever sent to a server.
Tips for Verifying Argon2 Hashes
- Paste the encoded hash (the string starting with $argon2id$) generated by the Argon2 Hash Calculator tool exactly as it is.
- The encoded hash already contains the variant, memory cost, iteration count, and salt, so you don't need to specify any of these parameters separately when verifying.
- If the hash format is invalid (for example, characters lost during copying or stray line breaks), you'll see an error message — double-check that you copied the entire string correctly.
- If you get a mismatch, check whether the password has unintended differences in capitalization or leading/trailing whitespace.
Frequently Asked Questions
Side Note — Why Comparing Hashes Is Enough to Verify a Password
Password verification might sound like it directly compares a stored password with the one you type in, but it actually works quite differently. The server (or, as in this tool, client-side code) re-hashes the password you enter using the same algorithm and the same salt that were used when it was originally stored, and then checks only whether the result matches the stored hash value. The original password itself is never the subject of a "comparison" — the whole process boils down to checking whether two hashes are identical, which is the real advantage of this approach.
This works because hash functions like Argon2 are deterministic: given the same input, salt, and parameters, they always produce the same output. An encoded hash string (in the form $argon2id$v=19$m=...$salt$hash) embeds the salt and every parameter that was used at computation time, so you never need to supply them separately when verifying — the hash string alone is enough to recompute it from scratch.
It's precisely because hashing has these two properties — being "one-way" (you can't work backward from a hash to recover the original password) and "deterministic" (the same input always yields the same output) — that a service can verify logins securely without ever storing users' raw passwords. Even if a database is leaked, all an attacker gets is the hash value, and with a computationally expensive algorithm like Argon2, brute-forcing the original password back out would take an extremely long time.