PBKDF2 Key Derivation

RFC 2898 PKCS#5 HMAC-based Free

Derive cryptographic keys from passwords using PBKDF2 (Password-Based Key Derivation Function 2). Supports HMAC-SHA1, SHA256, SHA384, SHA512 with configurable iterations and key length. RFC 2898 / PKCS#5 compliant. No passwords stored.

Derive Key from Password
WPA/WPA2 uses PBKDF2(passphrase, SSID, 4096, 256) per IEEE 802.11i to derive a 256-bit Pairwise Master Key (PMK).
Hash Algorithms (select one or more)
Password
SSID (WiFi Network Name)

The WiFi network name is used as the salt for WPA-PSK derivation.

Salt (Base64)

Minimum 16 bytes recommended. Click Random for a new salt.

Security Presets
Parameters

OWASP recommends 600,000+ for SHA-256

32 bytes = 256 bits (AES-256)

Security Note: Key derivation is performed server-side. For production use, always derive keys locally.

Derived Key Output

PBKDF2 Key Derivation
Password
HMAC-SHA256
x iterations
+ Salt
Derived Key
Enter a password and click Derive Key

Python Compiler

How PBKDF2 Works

PBKDF2 derives a cryptographic key from a password by applying a pseudorandom function (typically HMAC) with a salt, repeating the process many times to increase the computational cost of brute-force attacks.

Password User secret Salt (16+ bytes) HMAC-SHA256 Pseudorandom Function x iterations repeat XOR Combine blocks U1 ^ U2 ^ ... ^ Uc Derived Key 32 bytes (256 bits)

PBKDF2 Formula

DK = PBKDF2(PRF, Password, Salt, c, dkLen)
  • PRF — Pseudorandom function (e.g., HMAC-SHA256)
  • Password — Master password
  • Salt — Random salt (min 16 bytes recommended)
  • c — Iteration count
  • dkLen — Desired key length in bytes

PBKDF2 vs Other KDFs

AlgorithmMemory-HardGPU ResistantStandardRecommendation
PBKDF2NoLowRFC 2898Legacy / FIPS compliance
BCrypt4KBMediumDe factoStill acceptable
ScryptYesHighRFC 7914Good choice
Argon2idYes (configurable)HighRFC 9106Best for new apps

OWASP Iteration Recommendations (2023)

AlgorithmMin IterationsNotes
PBKDF2-HMAC-SHA11,300,000Legacy, avoid for new apps
PBKDF2-HMAC-SHA256600,000Recommended default
PBKDF2-HMAC-SHA512210,000Faster on 64-bit systems

Code Examples

Python: PBKDF2 Key Derivation
import hashlib import os # Generate random salt salt = os.urandom(16) # Derive key using PBKDF2-HMAC-SHA256 password = b"secret" key = hashlib.pbkdf2_hmac( 'sha256', password, salt, iterations=600000, dklen=32 ) print(f"Key: {key.hex()}") print(f"Salt: {salt.hex()}")
Java: PBKDF2 Key Derivation
import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import java.security.SecureRandom; // Generate salt byte[] salt = new byte[16]; new SecureRandom().nextBytes(salt); // Derive key PBEKeySpec spec = new PBEKeySpec( "password".toCharArray(), salt, 600000, 256 ); SecretKeyFactory f = SecretKeyFactory .getInstance("PBKDF2WithHmacSHA256"); byte[] key = f.generateSecret(spec).getEncoded();
Node.js: PBKDF2 Key Derivation
const crypto = require('crypto'); // Generate salt const salt = crypto.randomBytes(16); // Derive key (async) crypto.pbkdf2( 'password', salt, 600000, 32, 'sha256', (err, key) => { console.log(`Key: ${key.toString('hex')}`); } ); // Synchronous version const key = crypto.pbkdf2Sync( 'password', salt, 600000, 32, 'sha256' );
Go: PBKDF2 Key Derivation
import ( "crypto/sha256" "golang.org/x/crypto/pbkdf2" "crypto/rand" ) // Generate salt salt := make([]byte, 16) rand.Read(salt) // Derive 32-byte key key := pbkdf2.Key( []byte("password"), salt, 600000, 32, sha256.New, )
OpenSSL: PBKDF2 Key Derivation
# Derive 256-bit key using PBKDF2-HMAC-SHA256 (OpenSSL 3.0+) openssl kdf -keylen 32 \ -kdfopt digest:SHA256 \ -kdfopt pass:password \ -kdfopt salt:hex:0102030405060708 \ -kdfopt iter:600000 PBKDF2 # Using enc command (older OpenSSL) openssl enc -aes-256-cbc -pbkdf2 -iter 600000 \ -salt -in plain.txt -out encrypted.bin

Security Best Practices

Do's

  • Use 600,000+ iterations for SHA-256
  • Use a unique random salt per password (16+ bytes)
  • Use HMAC-SHA256 or SHA512
  • Store salt alongside the derived key
  • Consider Argon2id for new applications
  • Benchmark iterations on your target hardware

Don'ts

  • Don't use fewer than 100,000 iterations
  • Don't use HMAC-SHA1 for new applications
  • Don't reuse salts across different passwords
  • Don't derive more bytes than the hash output
  • Don't use a static/hardcoded salt
  • Don't skip key stretching for password storage

Frequently Asked Questions

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function specified in RFC 2898 and PKCS#5. It applies a pseudorandom function (like HMAC-SHA256) to a password along with a salt, repeating the process many times to produce a derived key suitable for cryptographic operations.
OWASP recommends at least 600,000 iterations for PBKDF2-HMAC-SHA256 as of 2023. For older systems, minimum 310,000 iterations for SHA-256 or 120,000 for SHA-512. Higher iterations increase security but also computation time.
PBKDF2 is CPU-intensive but not memory-hard, making it vulnerable to GPU attacks. Bcrypt uses 4KB of memory, while Argon2 uses configurable memory (typically 64MB+). For new applications, Argon2id is recommended over PBKDF2. However, PBKDF2 remains widely used for compatibility and FIPS 140-2 compliance.
The key length depends on your use case: 128 bits (16 bytes) for AES-128, 256 bits (32 bytes) for AES-256, or 512 bits (64 bytes) for HMAC-SHA512. Never derive more bits than the hash function outputs without careful consideration.
PBKDF2 is still safe when configured correctly with high iteration counts (600K+ for SHA-256). It is required for FIPS 140-2 compliance. However, for new applications without compliance requirements, Argon2id provides stronger protection against GPU and ASIC attacks.
Use Python's hashlib module: import hashlib, os; password = b'secret'; salt = os.urandom(16); key = hashlib.pbkdf2_hmac('sha256', password, salt, iterations=600000, dklen=32). The derived key is 32 bytes suitable for AES-256 encryption.
Yes. PBKDF2 is the only password-based key derivation function approved under FIPS 140-2 (NIST SP 800-132). This makes it mandatory in government, financial, and healthcare systems requiring FIPS compliance. Neither bcrypt nor Argon2 are FIPS-approved alternatives.
WPA2-Personal (WPA-PSK) uses PBKDF2-HMAC-SHA1 with 4096 iterations to derive a 256-bit Pairwise Master Key (PMK) from the WiFi passphrase and SSID. The formula is: PMK = PBKDF2(passphrase, SSID, 4096, 256). This is defined in IEEE 802.11i. Use our WPA-PSK calculator above to compute this.
If you request more output bytes than the underlying hash function produces (e.g., >32 bytes for SHA-256), PBKDF2 must run the entire iteration process multiple times. Requesting 64 bytes from SHA-256 doubles the computation for the defender but not for an attacker targeting just the first block. Always match key length to hash output: 32 bytes for SHA-256, 64 bytes for SHA-512.
The common approach is transparent rehashing: (1) Keep PBKDF2 hashes in your database, (2) When a user logs in, verify with PBKDF2, then immediately rehash the password with Argon2id and store the new hash, (3) Mark the record as migrated. Over time, most active users will be migrated. For inactive accounts, force a password reset.

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 𝕏 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.