ZeroUtil

PBKDF2 Hash Generator

Derive cryptographic keys from passwords using PBKDF2 with configurable iterations, salt and hash function.

How to Use the PBKDF2 Hash Generator

Enter a password, configure the salt (auto-generated or custom hex), set the number of iterations, key length, and hash function. Click "Generate Hash" to derive a cryptographic key from your password using PBKDF2.

Parameters Explained

  • Password — the input password or passphrase to hash
  • Salt — random data added to prevent rainbow table attacks. Auto-generate for security, or enter a specific hex salt for reproducible results.
  • Iterations — how many times the hash function is applied. Higher = slower = more secure. 100,000 is a good default for 2024.
  • Key Length — the output size in bytes. 32 bytes (256 bits) is standard for AES-256 key derivation.
  • Hash Function — the underlying hash algorithm. SHA-256 is recommended for most applications.

What is PBKDF2?

PBKDF2 (Password-Based Key Derivation Function 2) is a standard algorithm for deriving cryptographic keys from passwords. It applies a pseudorandom function (HMAC) many times to make brute-force attacks computationally expensive.

Frequently Asked Questions

Is my password sent to a server?

No. All hashing is performed in your browser using the Web Crypto API. Your password and salt never leave your device.

How many iterations should I use?

At least 100,000 for PBKDF2 with SHA-256 as of 2024. OWASP recommends 600,000 iterations for the highest security. More iterations means slower hashing, which is desirable for password protection but may cause a noticeable delay in the browser.

What is the salt for?

The salt is random data mixed into the hash to ensure identical passwords produce different hashes. This prevents precomputed attacks (rainbow tables). Always use a unique random salt for each password.

Can I reproduce the same hash?

Yes, if you use the same password, salt (hex), iterations, key length, and hash function, you will get the same output. This is how password verification works — store the salt and parameters alongside the hash.

PBKDF2 vs bcrypt vs Argon2 — which is best?

Argon2 is the most modern and recommended choice. bcrypt is widely used and proven. PBKDF2 is the most broadly supported (built into Web Crypto API) and is still considered secure with sufficient iterations. Use PBKDF2 when you need browser-native implementation without external libraries.

Ad

More Security & Privacy

Password Generator

Generate cryptographically secure random passwords with configurable length, character types and entropy display.

Open tool →

Password Strength Checker

Check password strength with entropy calculation, pattern detection and common password matching.

Open tool →

Security Hash Generator

Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from text or files using the Web Crypto API.

Open tool →

TOTP Generator

Generate time-based one-time passwords (TOTP) from a base32 secret with live 30-second countdown.

Open tool →

CSP Header Generator

Build Content-Security-Policy headers with a visual form, presets and per-directive configuration.

Open tool →

AES Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM and PBKDF2 key derivation, entirely in the browser.

Open tool →