Skip to content

Password Hasher (PBKDF2)

Hash passwords securely using PBKDF2-SHA256 with configurable iterations

Hash passwords the right way

Storing passwords in plain text is how breaches go from “we got hacked” to “10 million credentials are on a dark web forum.” PBKDF2 takes your password, mixes it with a random salt, and runs HMAC-SHA256 thousands of times until the result is a hash that’s computationally expensive to crack but trivial to verify.

This tool does all of that in your browser using the Web Crypto API. Your password never touches a server. Type it in, pick your iteration count, get back a self-contained hash string with the algorithm, iterations, salt, and derived key all packed together.

How to use it

Enter a password, choose how many iterations (100,000 is a good default), click hash. You get a string like pbkdf2:sha256:100000:base64salt:base64hash. Store that in your database. Later, use the Password Hash Verifier to check if an entered password matches.

What’s the deal with iterations?

The iteration count is basically how hard you want to make life for attackers. More iterations = more CPU work per hash attempt = slower brute-force attacks.

10,000: NIST’s minimum. Fast, but only okay for low-risk stuff. 100,000: Solid default for most web apps. Login takes maybe 200ms on modern hardware. 250,000: Banking, healthcare, anything with serious compliance requirements. 600,000: OWASP’s 2023 recommendation for PBKDF2-SHA256. Noticeable delay on slower devices, but very strong.

Here’s the practical advice: try your target iteration count on the slowest device your users will log in from. If it takes over a second, dial it back. Security doesn’t help if users abandon your login page.

Why PBKDF2 and not bcrypt or Argon2?

Fair question. For server-side password hashing, bcrypt and Argon2 are great, arguably better for most use cases. But there’s a practical reason this tool uses PBKDF2: it’s the only password hashing algorithm available natively in the browser’s Web Crypto API. No external libraries, no server round-trips, no data leaving your machine. For a browser-based tool, that’s the right trade-off.

Under the hood

Each time you hash, the tool generates a fresh 128-bit salt using crypto.getRandomValues, the browser’s cryptographically secure RNG. That salt gets combined with your password through PBKDF2-SHA256 to produce a 256-bit derived key. The output string bundles everything together so you don’t need to store the salt separately.

FAQ

Does my password leave the browser?

No. Web Crypto API runs entirely client-side. Safe for testing real passwords during development.

How many iterations should I pick?

Start with 100,000. Go higher if your hardware can handle the computation time without annoying users. OWASP says 600,000, but test it first.

Can I verify hashes from this tool?

Yes, the companion Password Hash Verifier (PBKDF2) takes the password and hash string and tells you if they match.

What’s the output format?

pbkdf2:sha256:iterations:salt:hash, everything needed for verification in a single string. No separate salt storage required.

pbkdf2 password hash security encryption

Related Tools

More in Developer Tools