PBKDF2 vs HKDF

PBKDF2 and HKDF serve fundamentally different goals. PBKDF2 is a password hashing key-derivation function: it takes a low-entropy human password and, with a unique salt and high iteration count, stretches computation to slow down brute-force attacks. HKDF, on the other hand, is a key expansion mechanism built on HMAC; it assumes you already have a strong, high-entropy input keying material (IKM) and lets you derive one or multiple cryptographic subkeys for different contexts.

In practice, if your input is a user password, use PBKDF2(or better, a memory-hard function such as Argon2) with a per-user salt and a sufficiently large iteration count. If your input is an ECDH shared secret, a random master key, or any other high-entropy secret, it is appropriate to apply HKDF (extract then expand) to produce purpose-scoped keys. Avoid feeding raw passwords into HKDF; and avoid using PBKDF2 for key expansion when you already have strong key material.

Recommended settings

• PBKDF2: unique salt per password, large iterations, fixed dkLen
• HKDF: context info (info) labels per subkey, separate extract/expand steps

Related tools

Try: PBKDF2, HKDF, HMAC-SHA256, Random

FAQ

Is PBKDF2 still recommended for passwords?

Yes, with a large iteration count and unique salt per password. However, modern memory-hard KDFs (Argon2, scrypt) are preferred where available due to better GPU/ASIC resistance.

Can I use HKDF directly with passwords?

No. HKDF assumes high-entropy input keying material. If the input is a human password, first use a password hashing function (e.g., PBKDF2/Argon2), then HKDF if you need key expansion.