Password hashing / KDF

PBKDF2

Password-Based Key Derivation Function 2, specified in PKCS #5 v2.1 (RSA Labs, 2000) and republished as RFC 8018 in 2017. PBKDF2 turns a password into a key by iterating an HMAC chain thousands or millions of times; the only cost lever is iteration count.

At a glance

Output	Any length
Cost parameter	iteration count `c`
Internal primitive	HMAC over a base hash (SHA-256 / SHA-512)
Memory cost	None , trivially parallelizable on GPUs
Standard	RFC 8018 (PKCS #5 v2.1)
Status	Acceptable for legacy; prefer Argon2id / scrypt for new designs

Recommended iteration counts (2026)

PBKDF2-HMAC-SHA-256: ≥ 600,000 (OWASP 2023 floor).
PBKDF2-HMAC-SHA-512: ≥ 210,000.
PBKDF2-HMAC-SHA-1: ≥ 1,300,000 (HMAC layer still safe; bump c).

Calibrate so an interactive login takes 100–500 ms on real hardware.

Where it is used

WPA2 / WPA3 PSK , PBKDF2-HMAC-SHA-1 over passphrase + SSID.
iOS / macOS keychain , PBKDF2 with device-calibrated cost.
1Password (pre-Argon2) , PBKDF2-HMAC-SHA-256.
LastPass , historically PBKDF2-HMAC-SHA-256 (raised in 2018).
Microsoft Office encryption , PBKDF2 within OOXML password encryption.

Why it’s no longer the first choice

No memory cost. A modern GPU can attempt millions of PBKDF2-HMAC-SHA-256 candidates per second per device. Memory-hard alternatives like Argon2id force the attacker to commit RAM per candidate, flattening the GPU advantage.

Try it

The KDF Lab includes PBKDF2 with HMAC-SHA-256 or HMAC-SHA-512 selectable and an iteration-count slider.

References

Generate

Run pbkdf2 on your input

Password

Salt (hex)

16 bytes

Iterations

600,000

PRF

Quick quiz

Test yourself on pbkdf2

10 multiple-choice questions. Pick an answer for each, then submit to see explanations.

Q1.What does PBKDF2 stand for?
Q2.RFC:
Q3.Only cost lever in PBKDF2:
Q4.Internal primitive:
Q5.OWASP 2023 floor for PBKDF2-HMAC-SHA-256:
Q6.WPA2-PSK uses PBKDF2 with:
Q7.Is PBKDF2 memory-hard?
Q8.Migration path from PBKDF2:
Q9.Year PKCS #5 v2.1 (RFC 8018) published:
Q10.Which Wikipedia category?