PBKDF2 Key Deriver
Derive a key from a password using PBKDF2.
Overview
The PBKDF2 key deriver stretches a password into a fixed-length key suitable for symmetric encryption, MACs, or storage. Type a password, set a salt, pick a hash and an iteration count, and receive a derived key in hex or base64.
It is the right tool for engineers wiring PBKDF2 into a login system, security reviewers comparing iteration counts against current OWASP guidance, and anyone reproducing test vectors from RFC 6070 or NIST SP 800-132. PBKDF2 is the most widely deployed password-based KDF — supported by everything from 1Password to WPA2 — so a PBKDF2 generator online is a frequent reach.
How it works
PBKDF2 (Password-Based Key Derivation Function 2, RFC 8018) iterates a PRF — usually HMAC-SHA-1, HMAC-SHA-256, or HMAC-SHA-512 — over the password and salt to deliberately slow down brute-force attacks. For each output block:
U1 = HMAC(password, salt || INT(i))
U2 = HMAC(password, U1)
...
Uc = HMAC(password, Uc-1)
Ti = U1 XOR U2 XOR ... XOR Uc
The derived key is T1 || T2 || ... truncated to the requested length. The iteration count c is the security knob: doubling c doubles the cost for both attacker and defender. PBKDF2 has no memory hardness, which is its weakness against modern GPU and ASIC attackers — for new designs, Argon2id is generally preferred.
Examples
Password: password
Salt: salt
PRF: HMAC-SHA-256
Iterations: 1
Length: 32 bytes
Output: 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b
Password: password
Salt: salt
PRF: HMAC-SHA-256
Iterations: 600000
Length: 32 bytes
Output: (32 bytes hex)
Password: passwordPASSWORDpassword
Salt: saltSALTsaltSALTsaltSALTsaltSALTsalt
PRF: HMAC-SHA-256
Iterations: 4096
Length: 40 bytes
Output: 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9
FAQ
What iteration count should I use?
OWASP 2024 recommends at least 600 000 iterations of PBKDF2-HMAC-SHA-256 for password hashing. For lower-risk key derivation (e.g. file encryption where the password is decent), 100 000 is a defensible floor. Re-evaluate annually.
SHA-1 or SHA-256?
For new designs, SHA-256 (HMAC-SHA-256). PBKDF2-HMAC-SHA-1 is still secure but is faster per iteration on a GPU, so an attacker gets more value from cheap hardware.
Why is the salt important?
A salt makes precomputed rainbow tables useless and ensures two users with the same password get different derived keys. Use at least 16 random bytes; never reuse the salt across users.
Is PBKDF2 still OK in 2026?
Yes for compatibility, but Argon2id is the modern recommendation for password storage. PBKDF2 remains fine for non-password contexts where the input has decent entropy (e.g. ECDH-derived secrets, though HKDF is more appropriate there).