Browsers today have implemented PBKDF2 in C, and as such it is quite fast. 100 iterations does not take a lot of time, and you should consider increasing the number of iterations to 10.000 or more. For the optimal number of iterations, use Performance.now() to measure how many milliseconds it takes to run X iterations. You should aim for 25 to 150 ms depending on the performance of your machine and the security level you want.
On my machine, 50.000 iterations takes around 30 ms, which is reasonable for a user to wait for a password to be derived.
rlindsgaard
commented
7 years ago
Browsers today have implemented PBKDF2 in C, and as such it is quite fast. 100 iterations does not take a lot of time, and you should consider increasing the number of iterations to 10.000 or more. For the optimal number of iterations, use Performance.now() to measure how many milliseconds it takes to run X iterations. You should aim for 25 to 150 ms depending on the performance of your machine and the security level you want.
On my machine, 50.000 iterations takes around 30 ms, which is reasonable for a user to wait for a password to be derived.