What iteration count does OWASP recommend for PBKDF2?

OWASP currently recommends a minimum of 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512 (as of 2023). These floors increase over time to track hardware improvements.

Why does SHA-512 need fewer iterations than SHA-256?

SHA-512 is slower per compression than SHA-256 on most CPUs, especially 64-bit hardware. Fewer iterations still yield equivalent work for an attacker, so the OWASP floor is lower for SHA-512.

Is PBKDF2 still recommended over bcrypt or Argon2?

All three are acceptable for password hashing. OWASP lists them in order of preference: Argon2id first, then bcrypt and scrypt as alternatives, with PBKDF2 acceptable especially in FIPS-compliant environments. At high iteration counts PBKDF2 is still secure.

Should I run PBKDF2 in the browser?

Only as a client-side pre-hash before sending to the server — never as the sole password protection. Browser-side PBKDF2 can reduce server load, but the server must always re-hash with its own secret salt and iteration count.

What output key length should I use?

Match the output to the HMAC variant: 32 bytes (256 bits) for SHA-256 and 64 bytes (512 bits) for SHA-512. Using a shorter output does not significantly affect security but wastes the derivation effort.

PBKDF2 Cost Estimator

Name: PBKDF2 Cost Estimator
Availability: InStock
Author: Nham Vu

Choose your hardware tier and target hash time to get OWASP-aligned PBKDF2 iteration count recommendations for SHA-256 and SHA-512.

PBKDF2 Parameters

Hardware Tier

Low-end VPS / Shared hosting ~250k SHA-256 iter/s per core

Mid-range server / Cloud VM ~600k SHA-256 iter/s per core

High-end dedicated / Bare metal ~1.2M SHA-256 iter/s per core

HMAC Variant

HMAC-SHA256 HMAC-SHA512

Target Hash Time (ms)

OWASP recommends ~600ms for interactive logins.

Output Key Length

Recommended Iteration Count

Recommended

600,000

iterations

OWASP Minimum

600,000

iterations

Est. Hash Time

600ms

HMAC Variant

SHA-256

Output

32 bytes

Meets OWASP 2023 minimum

Code Snippet

Attacker Cost Context

A GPU (RTX 4090) can attempt ~3.5B MD5 hashes/second. Against PBKDF2-SHA256 it is limited to roughly:

@ 100k iterations

~35,000/s

@ 600k iterations

~5,800/s

@ 1.2M iterations

~2,900/s

Each doubling of iterations halves attacker throughput. A 10-character random password with 600k iterations gives an attacker roughly 500+ years on a single GPU.

Copied to clipboard

Summary

Choose your hardware tier and target hash time to get OWASP-aligned PBKDF2 iteration count recommendations for SHA-256 and SHA-512.

How it works

Select your server hardware tier (low-end VPS, mid-range server, or high-end dedicated).
Enter your target hash time in milliseconds — OWASP recommends 600ms for interactive logins.
Choose the HMAC variant: SHA-256 (faster, 256-bit output) or SHA-512 (slower per iteration, 512-bit output).
The estimator multiplies the hardware baseline speed (iterations/second) by your target time to get a recommended iteration count.
Review the OWASP minimum floor — the tool always returns at least that floor even if your hardware is very fast.
Use the recommended count in your server-side hashing code; never run PBKDF2 in the browser for real password storage.

Use cases

Tune PBKDF2 parameters when setting up a new authentication service.
Verify that legacy iteration counts still meet current OWASP minimums.
Compare SHA-256 vs SHA-512 costs on your specific hardware tier.
Generate code snippets for Node.js, Python, and PHP implementations.
Estimate login latency impact before deploying a parameter change.
Teach developers why iteration count choice matters for password security.

Frequently Asked Questions

Last updated: 2026-07-01 · Reviewed by Nham Vu