Argon2id vs PBKDF2 — at-a-glance comparison

Both are key derivation functions (KDFs). Both turn a passphrase into an encryption key. The difference is where they spend the attacker's budget.

Side by side

• Year standardised: PBKDF2 — 2000 (RFC 2898). Argon2id — 2015 (PHC winner), RFC 9106 in 2021.
• Cost dimension: PBKDF2 — CPU time only. Argon2id — CPU time and RAM (memory-hard).
• GPU/ASIC speedup vs CPU: PBKDF2 — 100×–1000×. Argon2id — close to 1×.
• Standard library support: PBKDF2 — universal (Web Crypto, OpenSSL, every language). Argon2id — common but not universal; usually a separate library.
• OpenPGP standard: PBKDF2 — yes (S2K). Argon2id — yes, since RFC 9580 in 2024.
• Recommended use: PBKDF2 — legacy compatibility. Argon2id — anything new.

Both at default settings

PBKDF2-HMAC-SHA256 with 600,000 iterations: ~250 ms on a laptop CPU; ~500 ns per guess on a GPU.

Argon2id with m=65536 KiB, t=3, p=1: ~250 ms on a laptop CPU; ~10 ms per guess on a GPU.

Same defender cost. 5,000,000× attacker cost. That is the entire reason to switch.

When to keep PBKDF2 anyway

• Reading legacy ciphertext encrypted with PBKDF2 — you have no choice.
• Targeting environments without WASM (very old browsers, hardened embedded devices).
• Existing FIPS-140-3 deployments where Argon2id is not yet certified.

For everything else, Argon2id wins. This app uses Argon2id by default and can read PBKDF2-encrypted legacy ciphertexts via a magic-prefix envelope.