CiphersOnline
Encryption Online
Hashing
PBKDF2

PBKDF2 Online - Key Derivation

Derive a cryptographic key from a password using PBKDF2-HMAC directly in your browser. Configure the hash function (SHA-1, SHA-256, SHA-384, or SHA-512), iteration count, output key length, and salt. Use Verify mode to compare a candidate password with an existing PBKDF2 hex value.

Salt (leave empty for random)
Password
0 chars · 0 bytes
Hash to verify against
Try:
Result
✓ Client-side processing only ✓ Input is not sent to server
Examples
Common password
Hash function: SHA-256 Iterations: 600000 Key length (bytes): 32
Input password123

A typical password. Click Compute to derive a key with the current settings.

Passphrase
Hash function: SHA-256 Iterations: 600000 Key length (bytes): 32
Input correct horse battery staple

A long passphrase has high entropy and is easy to remember.

PBKDF2-HMAC-SHA512
Hash function: SHA-512 Iterations: 210000 Key length (bytes): 64 Salt (leave empty for random): docs-example-salt
Input release-notes-secret

Uses SHA-512, a 64-byte output, and a fixed example salt for repeatable documentation or interoperability testing.

High-iteration check
Hash function: SHA-256 Iterations: 1000000 Key length (bytes): 32 Salt (leave empty for random): login-user-42-unique-salt
Input admin panel passphrase

A one-million-iteration PBKDF2-HMAC-SHA256 run for comparing latency and verifying that the same parameters reproduce the same key.

What is PBKDF2?

PBKDF2 (Password-Based Key Derivation Function 2) is a password-based key derivation algorithm defined in RFC 2898 and standardized in NIST SP 800-132. It takes a password, a salt, an iteration count, a pseudo-random function such as HMAC-SHA256, and an output length, then derives a deterministic cryptographic key.

The algorithm is intentionally expensive: each iteration repeats the HMAC work, so every password guess costs more time. This PBKDF2 online tool uses the browser Web Crypto API to derive a hex-encoded key locally, without sending the password or salt to the server.

PBKDF2 is common in password storage, encrypted file formats, wallet backups, API test fixtures, and compatibility-sensitive systems where PBKDF2-HMAC-SHA256 or PBKDF2-HMAC-SHA512 is required by an existing protocol.

PBKDF2 vs bcrypt vs Argon2

PBKDF2 is the most portable key derivation option: it is available in browsers, OpenSSL, Java, .NET, Python, Node.js, operating-system APIs, and many compliance-oriented environments. That makes it useful for interoperable password hashing, legacy migrations, and systems that need PBKDF2_HMAC or pbkdf2_sha256 compatibility.

Its weakness is that it is CPU-bound and has no meaningful memory cost. Attackers with GPUs and ASICs can parallelize PBKDF2 guesses far more efficiently than defenders running ordinary application servers.

bcrypt resists GPU attacks better than PBKDF2 because it has a small internal memory state. Argon2id is the modern default for new password storage because it is memory-hard and tunable. Choose Argon2id when you control the stack; choose PBKDF2 when compatibility, Web Crypto support, FIPS-aligned environments, or existing protocol requirements matter more.

PBKDF2 parameters: hash, salt, iterations, key length

This PBKDF2 generator exposes the parameters developers usually need. The hash setting selects the HMAC digest used as the pseudo-random function: SHA-256 is the practical default, SHA-512 is common for wider SHA-2 deployments, SHA-384 is available for compatibility, and SHA-1 should only be used when a legacy format requires it.

The salt should be unique for every password or derived key. It does not need to be secret; store it with the derived hash or encrypted data. For production systems, generate a random salt with a cryptographically secure random source. A fixed salt is useful only for repeatable examples and test vectors.

Iterations control cost. Higher values slow both legitimate verification and offline guessing. The default is 600,000 iterations for PBKDF2-HMAC-SHA256, matching the OWASP 2024 baseline. Key length is the output size in bytes: 32 bytes gives a 256-bit key and a 64-character hex result; 64 bytes gives a 512-bit output.

Generate, verify, and store PBKDF2 values

Use Hash mode to generate a PBKDF2 hex value from a password and the selected parameters. Use Verify mode when you already have a stored PBKDF2 hex value: the tool derives the key again with the same salt, hash, iteration count, and key length, then reports whether the values match.

PBKDF2 cannot be decrypted. It is a one-way derivation function, so recovery works only by trying the candidate password with the original parameters and comparing the output. If any parameter changes - salt, hash function, iterations, or key length - the derived value changes too.

For real user accounts, do password hashing on your application server with a maintained library, rate limiting, monitoring, and a plan for parameter upgrades. This online PBKDF2 calculator is best for learning, debugging interoperability, documenting parameters, creating reproducible test vectors, and checking a hash during development.

FAQ

OWASP 2024 recommends 600,000 iterations for PBKDF2-HMAC-SHA-256 and 210,000 for PBKDF2-HMAC-SHA-512. NIST SP 800-132 recommends at least 1,000 (a very low floor — modern systems should be far above this). The right number depends on your threat model and hardware: aim for hashing to take 100–500 ms on your server. Higher iterations slow attackers proportionally; lower iterations save user-facing latency.

A salt is a unique random value added to each password before hashing. Without a salt, identical passwords produce identical hashes — making rainbow-table attacks practical. With a unique salt per user, attackers must attack each hash separately. The salt does not need to be secret, only unique (16 random bytes is plenty). Store the salt alongside the hash.

Choose PBKDF2 when you need broad platform support, FIPS validation, or interoperability with legacy systems. Argon2id is generally better for new systems where it is available. PBKDF2 has no memory cost — attackers can parallelize it cheaply on GPUs. For high-security applications, Argon2id is the recommended choice.

No. PBKDF2 is computed entirely in your browser via the Web Crypto API (window.crypto.subtle.deriveBits). Your password and salt never leave your device — no network requests, no logging, no server-side processing.

No. PBKDF2 is not encryption and has no decrypt operation. It is a one-way key derivation function. To check a password, derive PBKDF2 again with the same salt, hash function, iterations, and key length, then compare the new hex output with the stored value.

Use PBKDF2-HMAC-SHA256 unless your protocol or existing database requires another option. PBKDF2-HMAC-SHA512 is also common, especially in systems already standardized on SHA-512. SHA-384 is available for compatibility. Avoid SHA-1 for new designs; keep it only for legacy formats that explicitly require PBKDF2-HMAC-SHA1.

Store the derived hash, salt, iteration count, hash function, and key length. PBKDF2 output alone is not enough to verify a password later because the verifier must repeat the exact same parameters. Many systems encode these fields into one string; others store them as separate columns.

No. The salt must be unique and preferably random, but it is not a secret key. Its purpose is to make equal passwords produce different PBKDF2 outputs and to prevent attackers from reusing precomputed tables. Store the salt next to the hash.

Use it for education, parameter comparison, interoperability checks, and test vectors. For production user accounts, compute and verify PBKDF2 on the server with secure random salts, rate limiting, monitoring, and controlled parameter upgrades. Browser-side hashing alone does not replace server-side password storage controls.
Related tools

HMAC Generator

Generate an HMAC from text with a secret key in your browser.

All Hashing & Password Security →