Key stretching is a cryptographic technique that takes a weak password and runs it through a hashing algorithm thousands or even hundreds of thousands of times, making it dramatically harder for attackers to crack. Without key stretching, a brute-force attack might crack a password in minutes. With it, the same attack could take years.
How Key Stretching Works
Most passwords people choose are relatively short and predictable. An eight-character password has a limited number of possible combinations, and modern hardware can test millions of guesses per second. Key stretching fights this by making each guess expensive to compute.
The core idea is simple: instead of hashing a password once and storing the result, the system hashes it repeatedly in a loop. If a single hash takes 0.001 seconds, running that process 100,000 times means each password guess now takes about 100 seconds. For a legitimate user logging in, that’s a brief delay (the system only needs to verify one password). For an attacker trying millions of guesses, it’s a wall.
The number of times the hash repeats is called the iteration count, and it’s the main dial that controls the strength of key stretching. Higher iteration counts mean more computational cost per guess. This doesn’t change the actual complexity of your password. A weak password still has the same number of possible combinations. But it forces attackers to spend so much time on each attempt that brute-force attacks become impractical.
The Role of Salts
Key stretching almost always works alongside a technique called salting. A salt is a random string of characters that gets added to your password before the hashing begins. Each user gets a unique salt, which means two people with the same password end up with completely different stored hashes.
Without salts, attackers can pre-compute massive lookup tables (called rainbow tables) that map common passwords to their hashed outputs. Once built, these tables let attackers crack passwords almost instantly by simply looking up the hash. A unique salt per user makes those tables useless, because the attacker would need a separate table for every possible salt value. Combined with key stretching, salts force attackers into the slow, expensive process of guessing passwords one at a time.
Common Key Stretching Algorithms
Several algorithms are widely used for key stretching, and they differ primarily in what resources they demand from an attacker.
- PBKDF2 is the oldest and most widely deployed. It repeatedly applies a hash function for a configurable number of iterations. NIST originally recommended a minimum of 1,000 iterations, but that guidance dates to 2010. OWASP now recommends 600,000 iterations when using PBKDF2 with SHA-256. The gap reflects how much faster hardware has gotten: a single Nvidia RTX 4090 graphics card can run PBKDF2-SHA256 at 100,100 iterations at a rate of 90,000 hashes per second.
- bcrypt uses a work factor parameter (minimum of 10 is recommended) that exponentially increases computation time. It has built-in salting and has been a reliable choice for password storage for decades.
- scrypt was designed to be “memory-hard,” meaning it requires large amounts of RAM in addition to CPU time. This makes it expensive to attack with specialized hardware like GPUs or custom chips, which typically have limited memory per core. It takes three parameters: a memory cost, a block size, and a degree of parallelism.
- Argon2id is the newest and currently the top recommendation from security organizations like OWASP. Like scrypt, it’s memory-hard, but it adds finer control with three tunable parameters: minimum memory size, iteration count, and degree of parallelism. These let developers trade off between CPU and RAM usage depending on their system’s constraints.
The trend across these algorithms is clear: newer designs deliberately require memory, not just processing power. That’s because attackers often use GPUs or purpose-built hardware that can perform billions of simple calculations per second but struggle with tasks that demand large blocks of memory for each attempt.
Where Key Stretching Is Used
Key stretching shows up anywhere a human-chosen password needs to protect something valuable. When you log into a website, the server typically runs your password through a key stretching algorithm before comparing it to the stored hash. This means that even if an attacker steals the entire password database, cracking those hashes is painfully slow.
Full-disk encryption tools rely heavily on key stretching. When you set a password to encrypt your laptop’s hard drive, the system uses key stretching to derive the actual encryption key from your password. Your password might be 12 characters, but the derived key behaves as though it’s far more complex. Wi-Fi security uses it too: WPA2-PSK derives its master key by running your Wi-Fi password through PBKDF2 with 4,096 iterations, using your network name as the salt.
File encryption, password managers, and encrypted messaging apps all use key stretching in similar ways. Any time a system needs to turn a memorizable password into a strong cryptographic key, key stretching bridges the gap.
The Security and Speed Trade-off
Key stretching introduces a deliberate delay, and finding the right balance matters. Set the iteration count too low and attackers can still guess passwords quickly. Set it too high and your users sit waiting every time they log in, or your server buckles under the load of verifying passwords during peak traffic.
In practice, most systems aim for the key stretching process to take somewhere between a quarter of a second and one second for a single verification. That’s imperceptible to a user logging in once, but devastating to an attacker who needs to try millions of guesses. Security teams typically benchmark their chosen algorithm on their actual hardware and set the iteration count (or memory and parallelism parameters) as high as their infrastructure can handle without degrading the user experience.
As hardware gets faster, the iteration count needs to go up. What was secure five years ago may not be today. That’s why the jump from NIST’s original 1,000-iteration minimum to OWASP’s current 600,000-iteration recommendation for PBKDF2-SHA256 is so dramatic. Well-designed systems make it straightforward to increase these parameters over time, re-hashing stored passwords at the higher setting the next time each user logs in.
What Key Stretching Does Not Do
Key stretching slows attackers down, but it doesn’t make a terrible password safe. If your password is “password123,” an attacker will try it early in any dictionary attack, and key stretching only delays that single guess by a fraction of a second. The technique works best when combined with a reasonably strong password. It turns a mediocre password into a hard target and a good password into a nearly impossible one.
It’s also worth understanding that key stretching doesn’t increase the actual number of possible passwords. A deterministic process always produces the same output from the same input. What it does is make the cost of testing each possibility so high that the attack becomes economically pointless, even if the number of possibilities hasn’t changed.