Menu
I'm using PBKDF2 to derive a key from a password string in my app and I just have a few questions about it.
First is I saw lots of PBKDF2 online using hashes like HMAC-SHA256. What does it mean that it uses HMAC-SHA256 and not just HMAC? I thought HMAC encrypts data with a key.
Second, I read that there was BlackBerry vulnerability because its PBKDF2 function only used one iteration (instead of like 1000). Would one iteration be the same as just hashing the password (say with SHA256).
Thanks
575
asked Dec 29 '25 20:12
Yes, one iteration is the same roughly as calling the underlying hmac function. You don't want to do this, it makes it far easier to compute the function and thus far easier to brute force password choices. More iterations makes the process take longer.
PBKDF2 uses HMAC. HMAC, however, is an algorithm which uses any hash function. You can plug in md5, sha1,sha2, or anything else.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
