Online PBKDF2 Generator & Verifier
PBKDF2 (Password-Based Key Derivation Function 2) derives a cryptographic key from a password using a salt and thousands of iterations to slow down brute-force attacks. Set the salt, iteration count, key length, and hash function in "More settings". Generate and Verify modes are available. Everything runs on your device.
Everything runs in your browser. Your data is never sent to our servers.
Example
Example Input
Password: hunter2 • Iterations: 100000
Example Output
hex key + salt + iterations (deterministic per salt)
How to Use
- 1Choose Generate or Verify mode.
- 2Enter the password.
- 3Set the salt (optional, random if blank), iterations, key length, and hash function in "More settings".
- 4Click the button to derive a key; in Verify mode, paste a previous result (including salt & iterations) to compare.
About PBKDF2
PBKDF2 is a password-based key-derivation function defined in RFC 2898 (PKCS #5). It turns a password into a cryptographic key by applying a pseudo-random function (usually HMAC-SHA256) repeatedly — thousands to hundreds of thousands of iterations — together with a salt.
How it works: the salt prevents rainbow tables, while the large iteration count makes each guess attempt expensive. You can choose the underlying hash function (SHA-256/SHA-512), the derived key length, and the iteration count.
PBKDF2 has long been a standard (widely supported, including the Web Crypto API) and is still secure with a high-enough iteration count. However, because it is not memory-hard, Argon2 or bcrypt are generally preferred for new passwords. PBKDF2 remains useful for compatibility and key derivation.
FAQ
How many PBKDF2 iterations are safe?
More is safer. Modern recommendations (OWASP) are in the hundreds of thousands of iterations for HMAC-SHA256, tuned to your target device performance.
PBKDF2 or Argon2/bcrypt?
For new passwords, Argon2 (then bcrypt) is generally preferred for better hardware-attack resistance. PBKDF2 is still secure and useful for compatibility and key derivation.
Is my password sent to a server?
No. PBKDF2 is computed entirely in your browser. Your password never leaves your device.