(PHP 5 >= 5.5.0, PHP 7, PHP 8)
openssl_pbkdf2 — Generates a PKCS5 v2 PBKDF2 string
openssl_pbkdf2( #[\SensitiveParameter] string $password, string $salt, int $key_length, int $iterations, string $digest_algo = "sha1" ): string|false
openssl_pbkdf2() computes PBKDF2 (Password-Based Key Derivation Function 2), a key derivation function defined in PKCS5 v2.
passwordPassword from which the derived key is generated.
saltPBKDF2 recommends a crytographic salt of at least 128 bits (16 bytes).
key_lengthLength of desired output key.
iterationsThe number of iterations desired. » NIST recommends at least 1,000. As of 2023, OWASP recommends 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
digest_algoOptional hash or digest algorithm from openssl_get_md_methods(). Defaults to SHA-1. It is recommended to set it to SHA-256 or SHA-512.
Returns raw binary string or false on failure.
Example #1 openssl_pbkdf2() example
<?php $password = 'password'; $salt = openssl_random_pseudo_bytes(16); $keyLength = 20; $iterations = 600000; $generated_key = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256'); echo bin2hex($generated_key)."\n"; echo base64_encode($generated_key)."\n"; ?>
© 1997–2025 The PHP Documentation Group
Licensed under the Creative Commons Attribution License v3.0 or later.
https://www.php.net/manual/en/function.openssl-pbkdf2.php