jbp.io Archive
11 August 2015

PBKDF2: performance matters

This is a summary of a talk I gave at Passwords15 on 2015-08-05 in Las Vegas. There are slides and a video:


The PBKDF2 standards describe the algorithm in such an unhelpful way that almost every defender implementation is at least two times slower than it otherwise could be.

For slow password hashes, performance is important because any inefficiency is passed on to some combination of your user and attacker.

Of the implementations I reviewed, only the following are algorithmically optimal:

But, in practical terms, all are slower than a public domain implementation I released:


fastpbkdf2 is a public domain PBKDF2-HMAC-{SHA1,SHA256,SHA512} which significantly outperforms others available. For example, it outperforms OpenSSL by about 4x and golang by about 6x.

It does this through a few tricks:


Future work

Reviewed implementations

This review was performed in December 2014. Things might have moved on since then.

  1. FreeBSD (10): Slow. Measures speed.
  2. GRUB (2.0): Slow.
  3. Truecrypt (7.1a): Slow.
  4. Android (disk encryption): OK. Calls scrypt + openssl pbkdf2.
  5. Android (BouncyCastle): Slow.
  6. Django: OK. Fixed by sc00bz CVE-2013-1443.
  7. OpenSSL: OK. Fixed by Christian Heimes 2013-11-03.
  8. Python (core >=3.4): OK. Christian Heimes 2013-10-12.
  9. Python (pypi pbkdf2): Slow.
  10. Ruby (pbkdf2 gem): Slow.
  11. Go (go.crypto): Slow (structurally fast, but hmac module lets it down).
  12. OpenBSD: Slow.
  13. PolarSSL/mbedTLS: Slow.
  14. CyaSSL/wolfSSL: Slow (structurally fast, but hmac module lets it down).
  15. SJCL: OK.
  16. Java: Slow (structurally fast, but hmac module lets it down).
  17. Common Lisp (ironclad): Slow.
  18. Perl (Crypt::PBKDF2): Slow.
  19. PHP (core): Slow. Pull request submitted upstream.
  20. C# (core): Slow.
  21. scrypt (scrypt and libscrypt) Slow but iterations==1, always. yescrypt also.
  22. BouncyCastle OK (>= 1.49).
  23. Apple CoreCrypto. OK. Disassembly only (source is not available).