Argon2 Hash Verification | Compare a Password Against an Encoded Hash

Enter a password and an existing Argon2 encoded hash ($argon2id$...) to check whether they match. All computation happens in your browser, and nothing is ever sent to a server.


Tips for Verifying Argon2 Hashes

  • Paste the encoded hash (the string starting with $argon2id$) generated by the Argon2 Hash Calculator tool exactly as it is.
  • The encoded hash already contains the variant, memory cost, iteration count, and salt, so you don't need to specify any of these parameters separately when verifying.
  • If the hash format is invalid (for example, characters lost during copying or stray line breaks), you'll see an error message — double-check that you copied the entire string correctly.
  • If you get a mismatch, check whether the password has unintended differences in capitalization or leading/trailing whitespace.

Frequently Asked Questions

Hash calculation generates a new hash value from a password, while verification checks whether a password matches an existing hash value. The typical workflow is to generate and store a hash when a user signs up, then only verify it on subsequent logins.

This appears when the hash you entered isn't in a valid encoded format starting with $argon2id$, $argon2i$, or $argon2d$. Check whether any characters were dropped when copying, or whether extra whitespace or line breaks got included.

The most common causes are differences in capitalization, full-width versus half-width characters, or stray whitespace before or after the password. Since even a single differing character causes a mismatch, double-check the original string you copied from.

No. Everything you enter is processed locally in your browser via WebAssembly — nothing is ever sent to or stored on a server.

Use our companion Argon2 Hash Calculator, which supports all three variants — Argon2id, Argon2i, and Argon2d.
ツールくん

Side Note — Why Comparing Hashes Is Enough to Verify a Password

Password verification might sound like it directly compares a stored password with the one you type in, but it actually works quite differently. The server (or, as in this tool, client-side code) re-hashes the password you enter using the same algorithm and the same salt that were used when it was originally stored, and then checks only whether the result matches the stored hash value. The original password itself is never the subject of a "comparison" — the whole process boils down to checking whether two hashes are identical, which is the real advantage of this approach.

This works because hash functions like Argon2 are deterministic: given the same input, salt, and parameters, they always produce the same output. An encoded hash string (in the form $argon2id$v=19$m=...$salt$hash) embeds the salt and every parameter that was used at computation time, so you never need to supply them separately when verifying — the hash string alone is enough to recompute it from scratch.

It's precisely because hashing has these two properties — being "one-way" (you can't work backward from a hash to recover the original password) and "deterministic" (the same input always yields the same output) — that a service can verify logins securely without ever storing users' raw passwords. Even if a database is leaked, all an attacker gets is the hash value, and with a computationally expensive algorithm like Argon2, brute-forcing the original password back out would take an extremely long time.