Online PBKDF2 Generator & Verifier

PBKDF2 (Password-Based Key Derivation Function 2) derives a cryptographic key from a password using a salt and thousands of iterations to slow down brute-force attacks. Set the salt, iteration count, key length, and hash function in "More settings". Generate and Verify modes are available. Everything runs on your device.

The result will appear here...
or click the button

Everything runs in your browser. Your data is never sent to our servers.

728 × 90Ad Space AvailablePlace your ad here

Example

Example Input

Password: hunter2  •  Iterations: 100000

Example Output

hex key + salt + iterations (deterministic per salt)

How to Use

  1. 1Choose Generate or Verify mode.
  2. 2Enter the password.
  3. 3Set the salt (optional, random if blank), iterations, key length, and hash function in "More settings".
  4. 4Click the button to derive a key; in Verify mode, paste a previous result (including salt & iterations) to compare.

About PBKDF2

PBKDF2 is a password-based key-derivation function defined in RFC 2898 (PKCS #5). It turns a password into a cryptographic key by applying a pseudo-random function (usually HMAC-SHA256) repeatedly — thousands to hundreds of thousands of iterations — together with a salt.

How it works: the salt prevents rainbow tables, while the large iteration count makes each guess attempt expensive. You can choose the underlying hash function (SHA-256/SHA-512), the derived key length, and the iteration count.

PBKDF2 has long been a standard (widely supported, including the Web Crypto API) and is still secure with a high-enough iteration count. However, because it is not memory-hard, Argon2 or bcrypt are generally preferred for new passwords. PBKDF2 remains useful for compatibility and key derivation.

FAQ

How many PBKDF2 iterations are safe?

More is safer. Modern recommendations (OWASP) are in the hundreds of thousands of iterations for HMAC-SHA256, tuned to your target device performance.

PBKDF2 or Argon2/bcrypt?

For new passwords, Argon2 (then bcrypt) is generally preferred for better hardware-attack resistance. PBKDF2 is still secure and useful for compatibility and key derivation.

Is my password sent to a server?

No. PBKDF2 is computed entirely in your browser. Your password never leaves your device.

Related Tools

Related Categories