Which KDF should I use for password hashing in 2026?

Argon2id is the first-choice modern password hash because it is memory-hard, resisting GPU and ASIC attacks. If Argon2 is unavailable, scrypt and bcrypt are acceptable, and PBKDF2 with a high iteration count is the FIPS-friendly fallback.

How many PBKDF2 iterations are enough?

OWASP guidance recommends at least 600,000 iterations for PBKDF2-HMAC-SHA-256. Iterations only raise CPU cost, not memory, so PBKDF2 is weaker against GPU attacks than memory-hard functions like Argon2.

What does memory-hard mean?

A memory-hard KDF deliberately uses a large block of RAM so attackers cannot cheaply parallelise guesses on GPUs or custom ASIC hardware. Argon2 and scrypt are memory-hard; bcrypt is mildly so; PBKDF2 is not.

Is HKDF a password hash?

No. HKDF derives one or more cryptographic keys from an already-high-entropy secret, such as a Diffie-Hellman shared secret. It is fast by design and must not be used to hash low-entropy passwords.

Why does each password need a unique salt?

A per-password random salt prevents precomputed rainbow-table attacks and ensures two users with the same password get different hashes. The salt is stored alongside the hash and need not be secret.

Key Derivation Function Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Key derivation function (KDF) reference

A KDF turns a secret into one or more cryptographic keys. There are two jobs: password hashing (deliberately slow, memory-hard) and key extraction/expansion (fast, from already-strong secrets). This reference covers Argon2, scrypt, bcrypt, PBKDF2 and HKDF with their cost parameters and current OWASP-aligned tuning so you can store passwords safely and derive session keys correctly.

How it works

Password KDFs add three defences:

Salt — a unique random value per password defeats rainbow tables.
CPU cost — iterations or rounds make each guess expensive (PBKDF2, bcrypt).
Memory cost — a large RAM footprint defeats GPU/ASIC parallelism (Argon2, scrypt).

Argon2id combines memory hardness with side-channel resistance and is the modern default. Key-extraction KDFs like HKDF follow an extract-then-expand pattern over HMAC and are fast because their input is already high-entropy — never feed them raw passwords.

Tips and notes

Use Argon2id for new password storage; tune memory to the highest value your servers tolerate.
For PBKDF2 use >= 600,000 SHA-256 iterations (OWASP 2023+ guidance).
bcrypt truncates input at 72 bytes — pre-hash long passwords before bcrypt.
Use HKDF only on high-entropy secrets (shared keys), never on passwords.
Store the algorithm, parameters and salt with each hash so you can upgrade cost over time.