PBKDF2 and 600,000 Iterations: Slowing Down Attackers

If hashing a password takes nanoseconds, an attacker can try billions of guesses per second. A modern GPU can compute tens of billions of SHA-256 hashes per second. At that speed, a 4-digit PIN is cracked in microseconds.

Fast hashing is the enemy of PIN security. The solution is not a more complex algorithm — it is a deliberately slower one.

PBKDF2 stands for Password-Based Key Derivation Function 2. It deliberately makes key derivation slow by repeating a hash operation many times. Each “iteration” adds computational cost.

The input is your phone number. The output is a 256-bit AES encryption key. Between input and output, the algorithm runs HMAC-SHA256 six hundred thousand times in sequence. Each iteration depends on the previous one — it cannot be parallelized.

OWASP’s 2023 recommendation for PBKDF2-HMAC-SHA256 is 600,000 iterations. This represents the current best practice for balancing security against user experience.

We did not pick this number ourselves. We follow the industry standard set by the Open Web Application Security Project, which is updated as hardware capabilities evolve. When OWASP increases the recommendation, we will increase our iteration count.

Deriving the encryption key takes approximately 2 seconds on a modern device. That is 2 seconds every time you enter the chat. It is noticeable — and it is intentional.

You see the loading indicator while the browser’s Web Crypto API runs 600,000 iterations of HMAC-SHA256. This is your device doing real cryptographic work, not a cosmetic delay.

Our rate limiter locks the room after 10 failed access attempts for 30 minutes. Combined with PBKDF2’s computational cost, brute force becomes impractical even for well-resourced attackers.

The server-side lockout and the client-side key stretching work together as defence in depth. Even if one layer is bypassed, the other remains effective.

PBKDF2 is natively supported by the Web Crypto API in all modern browsers. bcrypt and Argon2 would require external JavaScript libraries, increasing the attack surface and adding dependencies we cannot fully control.

We chose the standard that ships with the browser. No npm packages, no WASM modules, no third-party code in the cryptographic path. The fewer dependencies in the crypto pipeline, the fewer opportunities for supply chain attacks.