HKDF or PBKDF2 for generating key for symmetric encryption? (Python Cryptography) [closed]

Question

I have an application where I encrypt some text for a user.

As of now, the user enters a plain-text password, and then I run an HKDF algorithm via the Cryptography package to derive a key from that password. After converting the key to a URL-safe base64-encoded 32-byte key, I use it as the key for running symmetric encryption (using the Fernet module) to encrypt the user's text.

I've read up on HKDF, and read that the "extract-then-expand" paradigm makes it useful for this type of scenario. But I've also read the documentation which states HKDF is not good for password storage. So I'm wondering if I should be using a PBKDF2 algorithm in this scenario instead?

I'm not storing the plain-text password, or the keys I derive from them though, which is why I thought HKDF would be ok. I want to make sure I'm doing things securely, and could use any help from someone more experienced.

Thanks!

UPDATE

I just came across this helpful post https://security.stackexchange.com/questions/38303/hkdf-and-key-stretching, which leads me to believe I should be using PBKDF2. Still would like some confirmation though if possible.

Answer 1

You should be using PBKDF2 instead of HKDF for one big reason: key-stretching, which "stretches" the amount of time it takes to generate the key from a password and which HKDF does not provide. HKDF is fast, PBKDF2 is slow. The slower, the better, for when an attacker tries a million different passwords -- you want the attacker to give up because it takes too long. Read this answer here for more details: https://security.stackexchange.com/questions/38303/hkdf-and-key-stretching.