PBKDF2 Key Generator

Derive cryptographic keys from passwords using PBKDF2 (RFC 8018). Uses the Web Crypto API — nothing leaves your browser.

16 random bytes recommended. The salt is used as-is (UTF-8 encoded).
Recommended: ≥100,000 for SHA-256. Higher = slower but more secure.

Frequently Asked Questions

PBKDF2 (Password-Based Key Derivation Function 2) is a standard algorithm (RFC 8018) that derives a cryptographic key from a password. It applies a pseudorandom function (like HMAC-SHA-256) repeatedly over many iterations to make brute-force attacks computationally expensive.
OWASP recommends at least 600,000 iterations for PBKDF2-HMAC-SHA256 as of 2023. For legacy compatibility, 100,000 is a common minimum. More iterations means more security but also longer computation time — use the timing display to find a balance for your use case.
A salt is random data added to the password before hashing. It ensures that identical passwords produce different derived keys, preventing rainbow table attacks. Each password should use a unique, randomly generated salt of at least 16 bytes.
SHA-256 is the most widely used and recommended choice. SHA-512 provides a higher security margin. SHA-1 is considered legacy — use it only for compatibility with older systems that require it.
No. All key derivation happens entirely in your browser using the Web Crypto API (crypto.subtle). Your password and derived key are never sent to any server.