Password-Based Key Derivation Function 2 (PBKDF2) has been around for over two decades — yet it remains one of the most widely used algorithms for deriving cryptographic keys from user passwords.
However, the security landscape has changed dramatically since PBKDF2 was standardized in RFC 8018
.
As of 2025, modern hardware (especially GPUs and ASICs) can test hundreds of thousands of hashes per second — which means old recommendations like 100,000 iterations are no longer sufficient.
Let’s explore what the OWASP 2025 recommendations say — and why you should update your PBKDF2 parameters today.
What PBKDF2 Actually Does
PBKDF2 is a key stretching algorithm designed to make brute-force password attacks slower.
It takes three main parameters:
PBKDF2(password, salt, iterations, keyLength, hashAlgorithm)
password – the user’s password (UTF-8 encoded)
salt – a random value (at least 16 bytes, preferably 64)
iterations – the number of times the hash function is applied
hashAlgorithm – typically SHA-256 or SHA-512
keyLength – desired output length in bits (e.g., 256 for AES-256)
Each additional iteration adds computational cost for both attackers and legitimate systems — that’s the trade-off.
Why 100,000 Iterations Are No Longer Enough
For many years, security experts recommended 100,000 iterations of PBKDF2-HMAC-SHA256 as a reasonable balance between security and performance.
But since then, CPU and GPU speeds have improved by orders of magnitude.
A modern GPU (e.g., RTX 4090) can compute:
~3.8 million PBKDF2-SHA256 hashes per second at 100,000 iterations.
That’s billions of password attempts per day — which makes weak or medium-strength passwords dangerously vulnerable.
OWASP 2025 Recommendation
According to the OWASP Password Storage Cheat Sheet (2025)
, the minimum recommended iteration count for PBKDF2 has increased substantially:
PBKDF2-SHA256: Use at least 310,000 iterations (or more, depending on your system’s performance).
This number isn’t arbitrary — it’s chosen to ensure that deriving a single key takes ~100ms on modern consumer hardware.
That small delay is imperceptible to users, but significantly slows down brute-force attacks.
Best Practices for PBKDF2 in 2025
- Use a Unique Salt per Password
Never reuse salts. Each password must be hashed with its own random salt — ideally 64 bytes of cryptographically secure randomness.
const salt = crypto.getRandomValues(new Uint8Array(64));
- Choose at Least 310,000 Iterations
The right number depends on your environment, but for 2025:
iterations = 310_000; // or more, depending on latency budget
- Use SHA-256 or SHA-512
Avoid older digests like SHA-1.
SHA-256 is widely supported and fast enough for most applications.
- Measure Performance
Benchmark your setup and ensure the hashing takes 50–150ms on your production hardware.
That’s a good sweet spot between security and UX.
- Plan for Future Updates
Hardware keeps getting faster.
Make iteration count configurable, so you can easily increase it without rehashing existing passwords.
Example (JavaScript / Web Crypto API)
async function deriveKey(password, salt) {
const encoder = new TextEncoder();
const keyMaterial = await crypto.subtle.importKey(
'raw',
encoder.encode(password),
{ name: 'PBKDF2' },
false,
['deriveKey']
);
return crypto.subtle.deriveKey(
{
name: 'PBKDF2',
salt,
iterations: 310_000,
hash: 'SHA-256',
},
keyMaterial,
{ name: 'AES-GCM', length: 256 },
false,
['encrypt', 'decrypt']
);
}
Key Takeaway
If you’re still using 100,000 PBKDF2 iterations, you’re effectively relying on 2016-level security in a 2025 world.
Update to ≥310,000 iterations, ensure strong random salts, and test performance.
It’s one of the simplest, highest-impact improvements you can make to your password security today.
Bonus Tip
If performance becomes an issue, consider Argon2id (the current OWASP top recommendation).
It’s memory-hard, GPU-resistant, and future-proof — but if you must stick with PBKDF2 for compatibility,
use the modern iteration count and solid engineering hygiene.
Top comments (0)