PBKDF2 Iteration Time Calculator
PBKDF2 slows password verification by repeating a pseudorandom function many times, making offline guessing expensive. Choosing the iteration count is a trade-off: higher counts cost an attacker proportionally more but also add latency to every legitimate login. This calculator converts your iteration count and your measured per-hash time into the total derivation time, and converts an attacker's hashing throughput into the guesses per second they can manage against your hashes. Measure the per-hash time on the hardware that actually runs the derivation.
PBKDF2 timing formula
Derivation time (s) = iterations * per-call time (s)
Per-call time (s) = microseconds / 1,000,000
Derivation time (ms) = derivation time (s) * 1,000
Attacker guesses/s = attacker PRF calls per second / iterations
Attacker guesses/day = guesses per second * 86,400
Raising the iteration count multiplies your derivation time and divides the attacker's guess rate by the same factor.
PBKDF2 tuning context
- PBKDF2 is defined in RFC 8018 and remains a NIST-approved key derivation function.
- A common target tunes iterations so one derivation takes 250 to 500 milliseconds on the verifying server.
- PBKDF2 is CPU-hard only, so GPUs and ASICs can run many parallel guesses; memory-hard functions resist this better.
- Always use a unique random salt per password so precomputed tables cannot be shared across accounts.
- Measure the per-call time on production hardware, because it varies widely by CPU and PRF choice.
PBKDF2 timing: frequently asked questions
What is PBKDF2?
PBKDF2 (Password-Based Key Derivation Function 2) is defined in RFC 8018. It repeatedly applies a pseudorandom function such as HMAC-SHA-256 over a password and salt for a chosen iteration count, producing a derived key. The iteration count deliberately slows down each guess so brute-forcing the password becomes expensive.
How is derivation time calculated?
Derivation time equals the iteration count multiplied by the time for one pseudorandom-function call. If one HMAC call takes 0.5 microseconds and you use 600,000 iterations, the derivation takes 600,000 times 0.0000005 seconds, which is 0.3 seconds. Measure the per-call time on your own target hardware.
How many iterations should I use?
Use the highest count that keeps interactive logins acceptable, commonly tuned so a single derivation takes 250 to 500 milliseconds on your server. Higher counts cost an attacker proportionally more. Pick the count from your measured per-hash time, then re-tune as hardware improves.
Why does the attacker guess rate matter?
An attacker with stolen hashes guesses offline. Their guesses per second equal their hashing throughput divided by the iteration count. Raising iterations directly divides their guess rate. This calculator shows guesses per second for a given attacker throughput so you can see the slowdown.
Is PBKDF2 still recommended?
PBKDF2 remains a NIST-approved key derivation function and is widely used, but it is only CPU-hard, not memory-hard, so GPUs and ASICs accelerate attacks. For new designs, memory-hard functions such as Argon2 (RFC 9106) resist hardware acceleration better. PBKDF2 with a high iteration count is still acceptable where a memory-hard function is unavailable.
Official sources
Reviewed by the CalculatorHub team, edited by James Graham, 17 June 2026. See our methodology.