Editing PBKDF2 (section)

== Purpose and operation ==
PBKDF2 applies a [[pseudorandom function]], such as [[hash-based message authentication code]] (HMAC), to the input [[password]] or [[passphrase]] along with a [[salt (cryptography)|salt]] value and repeats the process many times to produce a ''derived key'', which can then be used as a [[key (cryptography)|cryptographic key]] in subsequent operations.  The added computational work makes [[password cracking]] much more difficult, and is known as [[key stretching]].

When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to be increased over time as CPU speeds increase. A [[Kerberos (protocol)|Kerberos]] standard in 2005 recommended 4,096 iterations;<ref name="RFC3962">{{Cite journal|title = Advanced Encryption Standard (AES) Encryption for Kerberos 5|url = http://tools.ietf.org/html/rfc3962|website = tools.ietf.org|access-date = 2015-10-23 |first=Kenneth |last=Raeburn | year=2005 | doi=10.17487/RFC3962 |id=RFC{{nbsp}}3962|doi-access=free }}</ref> [[Apple Inc.|Apple]] reportedly used 2,000 for [[iOS 3]], and 10,000 for [[iOS 4]];<ref>{{Cite web|title = Smartphone Forensics: Cracking BlackBerry Backup Passwords |work=Advanced Password Cracking – Insight |publisher=ElcomSoft |date=30 September 2010 |url=http://blog.elcomsoft.com/2010/09/smartphone-forensics-cracking-blackberry-backup-passwords/ |access-date=2015-10-23}}</ref> while [[LastPass]] in 2011 used 5,000 iterations for [[JavaScript]] clients and 100,000 iterations for server-side hashing.<ref>{{Cite web |title = LastPass Security Notification |url=https://blog.lastpass.com/2011/05/lastpass-security-notification/|website = The LastPass Blog|date = 5 May 2011|access-date = 2023-01-31}}</ref> In 2023, [[OWASP]] recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.<ref>{{Cite web |date=15 August 2021 |title=Password Storage Cheat Sheet |url=https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 |url-status=live |archive-url=https://web.archive.org/web/20230123232056/https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html |archive-date=23 January 2023 |access-date=2023-01-23 |website=OWASP Cheat Sheet Series}}</ref>

[[File:Pbkdf2 nist.png|thumb|Algorithmic representation of the iterative process of PBKDF2.]]

Having a salt added to the password reduces the ability to use precomputed hashes ([[rainbow tables]]) for attacks, and means that multiple passwords have to be tested individually, not all at once.  The public key cryptography standard recommends a salt length of at least 64 bits.<ref name="RFC8018s4">{{Cite journal |id=RFC{{nbsp}}8018 |title=PKCS{{nbsp}}#5: Password-Based Cryptography Specification, Version 2.1: Section 4. Salt and Iteration Count |url = https://tools.ietf.org/html/rfc8018#section-4 |website = tools.ietf.org|access-date = 2018-01-24 |first=Kathleen |last=Moriarty |editor-first1=K |editor-last1=Moriarty |year=2017 |doi=10.17487/RFC8018 |display-authors=etal|url-access=subscription }}</ref> The US [[National Institute of Standards and Technology]] recommends a salt length of at least 128 bits.<ref>{{Cite web |id=SP{{nbsp}}800-132 |title=Recommendation for Password-Based Key Derivation Part 1: Storage Applications |url=https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf |website=NIST |access-date = 2018-12-20 |first1=Meltem |last1=Sönmez Turan |first2=Elaine |last2=Barker |first3=William |last3=Burr |first4=Lily |last4=Chen}}</ref>