Skip to content

Password Hash Verifier (PBKDF2)

Verify passwords against PBKDF2-SHA256 hashes in your browser

Check if a password matches its hash

You’ve got a PBKDF2 hash string stored in your database. A user enters their password. Does it match? That’s what this tool tells you.

It works by pulling the salt and iteration count from the hash string, re-running PBKDF2-SHA256 with the password you provide, and comparing the results. Match? Password’s correct. No match? Wrong password or corrupted hash. Everything runs through the Web Crypto API in your browser, nothing gets sent anywhere.

This is the companion to the Password Hasher (PBKDF2) tool. Together they give you a complete hash-and-verify workflow without leaving your browser tab.

How to use it

Paste the password in one field, paste the hash string in the other. The hash should look like pbkdf2:sha256:100000:base64salt:base64hash. Click verify. You get a green checkmark or a red X.

When this saves you

You’re building an auth system and want to sanity-check your hashing implementation. Hash a known password with your code, then paste both into this tool. If it doesn’t verify, your implementation has a bug.

A user can’t log in and swears they’re using the right password. Pull their hash from the database, paste it here with the password they claim to be entering. Instantly tells you if it’s a password mismatch or something else.

Database migration. You moved user records between systems and need to confirm the password hashes survived intact. Spot-check a few with known test passwords.

Just learning. If you’re studying how password hashing actually works under the hood, being able to hash and verify interactively makes the concept click faster than reading docs.

The hash format explained

pbkdf2:sha256:100000:base64salt:base64hash

Five colon-separated parts: algorithm family, hash function, iteration count, the salt (Base64-encoded), and the derived key (Base64-encoded). The beauty is it’s self-contained, you don’t store the salt or parameters separately. Everything needed for verification lives in that one string.

FAQ

Does my password leave the browser?

No. Web Crypto API, client-side only. Safe to test with real credentials during development.

Can I verify bcrypt hashes?

No, this tool handles PBKDF2-SHA256 only. Bcrypt isn’t available in the browser’s Web Crypto API, which is why the hasher and verifier both use PBKDF2.

Verification failed, now what?

Either the password doesn’t match, or the hash string format is wrong. Make sure it follows pbkdf2:sha256:iterations:salt:hash exactly. Also double-check for trailing whitespace, that’ll break it.

Where do I get a hash to test with?

Use the companion Password Hasher (PBKDF2) tool. It outputs hashes in the exact format this verifier expects.

What about timing attacks?

The Web Crypto API handles key derivation, and the comparison runs on the derived output. For production systems, you should always use server-side constant-time comparison. This tool is for development and testing.

pbkdf2 password verify hash security

Related Tools

More in Developer Tools