PBKDF2 Key Derivation Guide

Derive cryptographic keys from passwords with PBKDF2 — iteration count, salt, and hash function selection.

Published: 2026-02-15

Tags: PBKDF2 key derivation, PBKDF2 password hashing, key derivation function

PBKDF2 Key Derivation Guide PBKDF2 (Password-Based Key Derivation Function 2) is the battle-tested standard for deriving cryptographic keys from passwords. Defined in RFC 8018 and NIST SP 800-132, it is the required algorithm in FIPS 140 environments and the baseline for countless password-based encryption schemes. This guide covers the algorithm, parameter selection, and implementation examples in Python, Node.js, and the browser. --- How PBKDF2 Works? PBKDF2 applies a pseudorandom function (PRF) — typically HMAC-SHA256 — iteratively to the password and a random salt: The key insight: each output block requires (the iteration count) sequential PRF computations. These cannot be parallelized within a single hash derivation — but multiple password candidates can be tested in parallel on a…

Frequently Asked Questions

What is PBKDF2?

PBKDF2 (Password-Based Key Derivation Function 2) is defined in RFC 8018 and NIST SP 800-132. It derives a cryptographic key from a password by applying a pseudorandom function (typically HMAC-SHA256) many times over, combined with a random salt. It is the oldest of the major password hashing functions and is mandated in FIPS 140-2/3 environments.

How many PBKDF2 iterations should I use?

OWASP recommends at least 600,000 iterations with PBKDF2-HMAC-SHA256 as of 2023. This recommendation is adjusted upward roughly annually as hardware speeds increase. If you are using PBKDF2-HMAC-SHA1, the minimum is 1,300,000 iterations. Always use SHA-256 or SHA-512 for new implementations.

What is PBKDF2-HMAC-SHA256?

PBKDF2-HMAC-SHA256 is the most common PBKDF2 variant. It uses HMAC with SHA-256 as the pseudorandom function applied at each iteration. The combination offers 256-bit security for the derived key material. SHA-512 variants produce longer output (512-bit) and can be faster on 64-bit systems, but require proportionally fewer iterations.

How does PBKDF2 compare to bcrypt?

PBKDF2 is less resistant to GPU attacks than bcrypt because its iterations can be parallelized efficiently on graphics hardware. bcrypt's CPU-bound design resists this better. However, PBKDF2 is FIPS 140-2/3 compliant (bcrypt is not), making it the required choice in regulated US government and healthcare environments.

When should I use PBKDF2?

Use PBKDF2 when you need FIPS 140 compliance, when integrating with existing systems that mandate it (many federal and enterprise identity systems), or when deriving encryption keys from passwords (password-based encryption, PBE). For pure password storage on new systems without regulatory constraints, Argon2id is preferred.

All articles · theproductguy.in