+ Submit

PBKDF2 & Argon2 Password Hash Generator and Verifier

Key derivation functions (KDFs) are essential for secure password storage. Unlike fast hash algorithms such as SHA-256, PBKDF2 and Argon2 deliberately consume more time and memory, making password cracking computationally expensive.

This online PBKDF2 and Argon2 hashing tool helps developers generate and verify secure password hashes using industry-standard cryptographic algorithms.

PBKDF2 / Argon2 Key Hashing Tool

Stateless password hashing & verification using industry standards

Argon2id
PBKDF2
Derived Output
{{ res.encoded || res.derivedKey }}
How is Argon2 hash structured?
✔ Match ✖ Mismatch
⚠ PBKDF2 Verification Rule

Verification succeeds only if the same password, salt, iterations, hash algorithm, and key length are used.

How to Read an Argon2 Hash Output

Understand each component of an Argon2id password hash

Argon2 hashes follow the PHC string format, which embeds all information required to verify a password. This makes Argon2 hashes self-contained and portable. 

$argon2id$v=19$m=65536,t=3,p=1$0II7M4P/ppkK1emcdMUTOg$Z2gF3BTRJKMQfOzQfVCl7xOG+2r57qsUDN1oPVV/kgM

PHC Format Structure

$<algorithm>
$v=<version>
$m=<memory>,t=<iterations>,p=<parallelism>
$<salt>
$<hash>

Component Breakdown

  • argon2id – Algorithm variant used. Argon2id is recommended by OWASP for password hashing.
  • v=19 – Argon2 version (1.3), the current stable standard.
  • m=65536 – Memory cost in KB (64 MB), making GPU attacks expensive.
  • t=3 – Time cost (number of iterations).
  • p=1 – Parallelism (threads).
  • Salt – Random Base64-encoded value that prevents rainbow-table attacks.
  • Hash – Final Base64-encoded derived password hash.

Why Argon2 Hashes Are Self-Contained

Unlike PBKDF2 or bcrypt, Argon2 hashes store the algorithm, version, parameters, salt, and derived hash together in a single string. During verification, the Argon2 library automatically extracts these values and recalculates the hash securely.

Verification Example

argon2.verify(encodedHash, password);

Always store the full hash string exactly as generated. Never truncate or manually parse it.

We do not store, log any key you enter. This tool is intended for personal and educational use. We suggest not to use online tools to protect real production secrets.

Key Terminologies

What is a Key Derivation Function?

A key derivation function (KDF) transforms a password into a cryptographically secure key using techniques such as salting and iteration. KDFs are designed to slow down attackers attempting brute-force or dictionary attacks.

What is PBKDF2?

PBKDF2 (Password-Based Key Derivation Function 2) is a widely used algorithm defined in RFC 8018. It applies a pseudorandom function, such as HMAC-SHA256, multiple times to increase computational cost.

What is Argon2?

Argon2 is the winner of the Password Hashing Competition and is designed to be memory-hard, making it resistant to GPU and ASIC-based attacks. Argon2id is the recommended variant for password hashing.

Security Best Practices

  • Always store hashed passwords, never plaintext passwords
  • Use a unique random salt for every password
  • Prefer Argon2id for all new applications
  • Increase cost parameters over time as hardware improves

Example Code: Verify Password Hashes

Below are practical examples showing how to verify Argon2id and PBKDF2 password hashes in popular backend languages.

Node.js Examples

Verify Argon2id Hash (Node.js) 


// Install dependency
// npm install argon2

const argon2 = require('argon2');

async function verifyArgon2(password, encodedHash) {
    try {
        return await argon2.verify(encodedHash, password);
    } catch (err) {
        return false;
    }
}

// Example usage
const match = await verifyArgon2(
    'mySecretPassword',
    '$argon2id$v=19$m=65536,t=3,p=1$0II7M4P/ppkK1emcdMUTOg$Z2gF3BTRJKMQfOzQfVCl7xOG+2r57qsUDN1oPVV/kgM'
);

console.log(match);

Argon2 hashes are self-contained. Parameters and salt are extracted automatically during verification.

Verify PBKDF2 Hash (Node.js) 


const crypto = require('crypto');

function verifyPBKDF2(password, salt, iterations, keyLength, hashAlgo, derivedKeyBase64) {

    const derivedKey = crypto.pbkdf2Sync(
        password,
        salt,
        iterations,
        keyLength / 8,
        hashAlgo.toLowerCase()
    );

    return crypto.timingSafeEqual(
        derivedKey,
        Buffer.from(derivedKeyBase64, 'base64')
    );
}

// Example usage
const match = verifyPBKDF2(
    'mySecretPassword',
    'mySaltValue',
    100000,
    256,
    'SHA256',
    'Base64DerivedKeyHere'
);

console.log(match);

PHP Examples

Verify Argon2id Hash (PHP) 


<?php

$password = 'mySecretPassword';
$hash = '$argon2id$v=19$m=65536,t=3,p=1$0II7M4P/ppkK1emcdMUTOg$Z2gF3BTRJKMQfOzQfVCl7xOG+2r57qsUDN1oPVV/kgM';

if (password_verify($password, $hash)) {
    echo 'Password matches';
} else {
    echo 'Password does not match';
}

PHP natively supports Argon2id via password_verify().

Verify PBKDF2 Hash (PHP) 


<?php

function verifyPBKDF2($password, $salt, $iterations, $keyLength, $algo, $derivedKeyBase64) {

    $derivedKey = hash_pbkdf2(
        $algo,
        $password,
        $salt,
        $iterations,
        $keyLength / 4,
        true
    );

    return hash_equals(
        $derivedKey,
        base64_decode($derivedKeyBase64)
    );
}

// Example usage
$match = verifyPBKDF2(
    'mySecretPassword',
    'mySaltValue',
    100000,
    256,
    'sha256',
    'Base64DerivedKeyHere'
);

echo $match ? 'Password matches' : 'Password does not match';
Verification Rules
  • Argon2 hashes can be verified directly using the encoded hash.
  • PBKDF2 verification requires the same salt, iterations, hash algorithm, and key length.
  • Always use timing-safe comparisons for hash verification.

Support This Free Tool!

I build these tools to give you fast, secure, privacy-friendly utilities—free and signup-free.

Buying me a coffee helps keep the project running and supports new features.

cards
Powered by paypal

Thank you for helping this tool thrive!

References

Other Free Tools