Key Stretching Iterations Calculator

Reviewed by the CalculatorHub team, edited by James Graham. PBKDF2-style work-factor model. Last verified 19 June 2026.

Key stretching slows down password hashing so each brute-force guess costs the attacker far more. This calculator shows how an iteration count adds effective security bits, how long a single derivation takes at a chosen hash rate, and how that translates into total time to exhaust a password's keyspace. Enter the iteration count, the password entropy in bits and the attacker's hashes-per-second to see the combined work factor and crack time.

Iteration count

Password entropy (bits)

Attacker hash rate (base hashes/sec)

Added security (bits)

0.00

Total effective work (bits)

0.00

Guesses per second (stretched)

0.00

Time to exhaust keyspace

Key stretching formula

added bits = log2(iterations)
total work bits = password entropy + added bits
stretched guesses/sec = base hash rate / iterations
time to exhaust = 2^(entropy) / stretched guesses/sec

Each iteration multiplies the work per guess, so the attacker's effective guess rate is the base hash rate divided by the iteration count. The added bits are the base-2 logarithm of the iteration count, which sum with the password's own entropy to give the total work an attacker faces.

Worked example

600,000 iterations, 40-bit password, attacker at 10 billion base hashes per second. Added bits = log2(600,000) = 19.19. Total work = 40 + 19.19 = 59.19 bits. Stretched guess rate = 10,000,000,000 / 600,000 = 16,667 guesses per second. Time to exhaust 2^40 guesses = 1,099,511,627,776 / 16,667 = about 65.97 million seconds, roughly 2.09 years.

Key stretching: frequently asked questions

What is key stretching?

Key stretching deliberately makes a password hash slow by repeating the hashing operation many times (as in PBKDF2) or using memory-hard work. Each doubling of the iteration count adds one bit of effective security and doubles the attacker's cost per guess.

How do iterations add security bits?

Added bits = log2(iterations). An iteration count of 600,000 adds about 19.2 bits of work per guess on top of the password's own entropy. The attacker must perform that many hash operations for every single password guess.

What iteration count is recommended?

NIST SP 800-132 calls for an iteration count as large as performance allows, and OWASP-style guidance commonly cites several hundred thousand PBKDF2-HMAC-SHA-256 iterations. The right number depends on your hardware and acceptable login latency; tune so a single derivation takes a fraction of a second.

Does key stretching fix a weak password?

Only partly. Stretching multiplies the cost of each guess but cannot replace missing password entropy. A short password is still guessable; stretching buys time, while strong, unique passwords plus a unique salt provide the real protection.

Sources and references

NIST Computer Security Resource Center: SP 800-132, recommendation for password-based key derivation.
NIST Computer Security Resource Center: SP 800-63B, digital identity authentication.
Formula: standard PBKDF2 iteration work-factor relationship (added bits = log2 of iterations).

Reviewed by the CalculatorHub team, edited by James Graham, 19 June 2026. See our methodology.