What is key stretching?

Key stretching is a technique that makes a hash function deliberately slow by repeating it many times (PBKDF2), running it in a loop with an exponential cost (bcrypt), or requiring large amounts of memory (Argon2). This forces an attacker to spend far more time and resources testing each candidate password.

How does bcrypt's cost factor work?

bcrypt's cost factor N means the algorithm performs 2^N internal iterations. Each increment doubles the hash time, so increasing cost from 10 to 12 makes brute-force four times harder.

What PBKDF2 iteration count should I use?

OWASP recommends at least 600,000 iterations for PBKDF2-SHA256 as of 2023. The right number depends on your hardware — aim for a target hash time of 100–300 ms on your server and increase the count as hardware improves.

Why does hardware tier matter?

A consumer RTX 4090 GPU can test many more bcrypt hashes per second than a budget cloud vCPU. The same cost factor that is secure against one attacker may be trivial against another with more powerful hardware.

Is this estimate accurate?

The estimate is a theoretical upper bound assuming the attacker devotes all hardware to this one hash. Actual times vary with parallelism, memory bandwidth, and implementation optimizations. Use it for order-of-magnitude planning, then benchmark real hashes in your environment.

What is the difference between PBKDF2 and Argon2?

PBKDF2 is CPU-bound and can be accelerated heavily by GPUs and ASICs. Argon2id adds a memory-hard phase that forces attackers to use large amounts of RAM, limiting parallelism and making GPU farms far less effective. Argon2id is the modern recommended choice.

Key Stretching Time Calculator

Name: Key Stretching Time Calculator
Availability: InStock
Author: Nham Vu

Estimate how long it takes an attacker to brute-force a password given key-stretching parameters — algorithm, work factor, and attacker hardware.

Parameters

Algorithm

Iterations

OWASP 2023 minimum for PBKDF2-SHA256: 600,000.

Attacker hardware

Raw hashes/second (single-iteration rate)

This is the attacker's baseline rate before work factor is applied.

Password to crack

Length

Character set

Configure parameters on the left and click Calculate.

Effective Rate

—

hashes / second

Keyspace

—

combinations

Entropy

—

bits

Slowdown vs. no key stretching

—

How many times harder key stretching makes the brute-force compared to a single fast hash (MD5 baseline at 10 billion/s).

Crack Time Across Hardware Profiles

Hardware	Eff. Rate (H/s)	Crack Time

Recommendation

—

Done

Summary

Estimate how long it takes an attacker to brute-force a password given key-stretching parameters — algorithm, work factor, and attacker hardware.

How it works

Select a key-derivation algorithm: bcrypt, PBKDF2-SHA256, or Argon2id.
Set the work factor (bcrypt cost) or iteration count (PBKDF2/Argon2).
Choose an attacker hardware profile — consumer GPU, professional GPU cluster, or a custom hash rate.
The tool divides the attacker's base rate by the work factor to get effective hashes/second.
It then computes keyspace from password length and character set, and divides by the effective rate.
Results show expected crack time, effective attacker throughput, and a comparison table across hardware profiles.

Use cases

Pick a bcrypt cost factor that keeps offline cracking impractical on today's GPUs.
Decide how many PBKDF2 iterations are needed for a new authentication system.
Check whether your current Argon2id settings are strong enough against a well-funded attacker.
Compare how much protection bcrypt vs. PBKDF2 vs. Argon2 buys at the same iteration count.
Educate a team on why work factors need to increase as hardware improves.
Audit a legacy system to determine if its iteration count is still adequate.

Frequently Asked Questions

Last updated: 2026-07-01 · Reviewed by Nham Vu