PBKDF2 Hash Generator
Generate and verify PBKDF2-SHA256 password hashes in your browser.
Uses PBKDF2-SHA256 via Web Crypto API. Format: hex_salt:hex_hash
About this tool
PBKDF2 (Password-Based Key Derivation Function 2) is a cryptographic algorithm designed to strengthen passwords by applying a computationally intensive process—it hashes your password repeatedly (thousands or millions of times) with a random salt, making it extremely slow and expensive to crack using brute-force attacks. Unlike simple hash functions that are fast and vulnerable to GPU-accelerated attacks, PBKDF2 is purpose-built for password security: the iteration count can be adjusted over time as hardware becomes faster, keeping the algorithm resistant to future threats. This browser-based tool lets you generate and verify PBKDF2-SHA256 hashes entirely offline, without sending your passwords to any server.
To generate a hash, simply enter your password, adjust the iteration count (higher values = slower but more secure; 100,000 is a solid default for modern systems), select your salt length (16 bytes is standard), and click 'Generate Hash'. The tool produces a hash in the format hex_salt:hex_hash, which you can copy and store securely. To verify a password against a stored hash, switch to the 'Verify' tab, paste the hash string, enter the candidate password, and click 'Verify'—the tool will tell you if it matches. This is ideal for developers implementing password verification in applications, security professionals testing password strength, or anyone needing to understand how password hashing works.
The strength of your hashes depends on the iteration count: NIST recommends at least 210,000 iterations as of 2024, though you may see older systems using 10,000 or 50,000. Remember that PBKDF2 is only as strong as your password—use passphrases of at least 12 characters with mixed case, numbers, and symbols. Also note that PBKDF2 has been largely superseded by newer algorithms like Argon2 for new systems, but it remains widely used and supported in existing infrastructure. For long-term password storage in production, consider consulting OWASP guidelines and adapting iteration counts as hardware evolves.
Frequently Asked Questions
Code Implementation
import bcrypt
# Hash a password (cost factor 12)
password = "my_secure_password"
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
print("Hash:", hashed.decode())
# $2b$12$...
# Verify a password
is_valid = bcrypt.checkpw(password.encode(), hashed)
print("Valid:", is_valid) # True
is_invalid = bcrypt.checkpw(b"wrong_password", hashed)
print("Invalid:", is_invalid) # False
# The salt is embedded in the hash — no need to store it separately
# Always use checkpw() for comparison (constant-time)Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.