What is Key Stretching?
A technique that makes a short password harder to crack by passing it through a computationally expensive hashing function many times.
Key stretching deliberately slows down password verification, making brute-force attacks impractical.
The Problem
- Users choose short, predictable passwords
- Fast hash functions (SHA-256) can be computed billions of times per second
- An 8-character password hashed once with SHA-256 can be cracked in minutes
The Solution
- Run the password through a slow function thousands or millions of times
- Each guess takes milliseconds instead of nanoseconds
- A billion-guess-per-second attack drops to thousands per second
Algorithms
- Argon2id: Best option — memory-hard and configurable
- bcrypt: Well-established, adjustable cost factor
- scrypt: Memory-hard predecessor to Argon2
- PBKDF2: Older, less resistant to GPU attacks
Real Impact
- PBKDF2 with 100,000 iterations: ~10,000 guesses/sec on a GPU
- Argon2id with 64MB memory: ~100 guesses/sec on a GPU
- SHA-256 alone: ~10,000,000,000 guesses/sec on a GPU
Related Terms
Argon2
The winner of the Password Hashing Competition, designed to be resistant to GPU and ASIC-based cracking by requiring large amounts of memory.
Brute Force Attack
A trial-and-error method of cracking passwords or encryption by systematically trying every possible combination until the correct one is found. While simple in concept, brute force becomes impractical against sufficiently long, random secrets.
Key Derivation Function
A cryptographic function that derives one or more secret keys from a master secret, password, or other source of entropy. KDFs add security through computational cost and produce keys of the required length and format.
Have more questions?
Use our guided flow to get the right next privacy step for Key Stretching.
Open Guided Flow