PBKDF2 (Password-Based Key Derivation Function 2) repeatedly applies HMAC to a password and salt to produce a derived key. High iteration counts make brute-force attacks expensive.

What iteration count should I use?

OWASP recommends at least 600 000 iterations with HMAC-SHA-256 for password hashing. 100 000 is a reasonable minimum but higher is better.

Is data sent to a server?

No. All derivation uses the browser Web Crypto API.

PBKDF2 Hash Generator

Derive a key from a password using PBKDF2 (SHA-256). Configure salt and iterations.

Password

Salt (hex)

Iterations:

Key length (bytes):

Related Tools

#Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 cryptographic hashes from any text.

#HMAC Generator

Generate HMAC-SHA-256/384/512 message authentication codes using a secret key.

#AES Encrypt / Decrypt

Encrypt and decrypt text with AES-GCM using a password. Runs entirely in your browser.

FAQ

What is PBKDF2?: PBKDF2 (Password-Based Key Derivation Function 2) repeatedly applies HMAC to a password and salt to produce a derived key. High iteration counts make brute-force attacks expensive.
What iteration count should I use?: OWASP recommends at least 600 000 iterations with HMAC-SHA-256 for password hashing. 100 000 is a reasonable minimum but higher is better.
Is data sent to a server?: No. All derivation uses the browser Web Crypto API.

Derive a cryptographic key from a password using PBKDF2-SHA-256 via the Web Crypto API. Specify a custom salt or auto-generate a random one, and set the iteration count (default 100 000). The derived key is displayed as hex. PBKDF2 is suitable for password hashing, key stretching, and key derivation in client-side applications.