scrypt
Colin Percival's memory-hard answer to bcrypt's GPU vulnerability. Used by Litecoin and a long tail of password databases.
By Deepak Gupta ·
scrypt was the first widely deployed *memory-hard* password hash. Its tuning parameters force any attacker to spend RAM as well as CPU per password attempt, which makes GPU and FPGA cracking far less cost-effective than against bcrypt. Memory-hardness is the right property for a password hash, and scrypt remains a perfectly defensible choice. The reason most new designs reach for Argon2id instead is the parameter story: Argon2 was designed in the modern-attacker era and exposes three orthogonal knobs (time, memory, parallelism), giving you finer control over the trade-off curve.
Recommended uses
- ·Memory-hard password hashing when Argon2id isn't available
- ·Cryptocurrencies derived from Litecoin
Known attacks / caveats
- ·None practical when parameters are tuned (N ≥ 2^17 for online auth in 2026).
Designed by
Colin Percival, published 2009.
Deep dive on guptadeepak.com
The Complete Guide to Password Hashing: Argon2 vs Bcrypt vs Scrypt vs PBKDF2 (2026)
The deep-dive on which password-hashing function to pick and how to tune it.