Safari's PBKDF2 performance is not optimized, here's a comparison with Chrome and FastPBKDF2: ```js async function pbkdf2(algo) { const pwd = crypto.getRandomValues(new Uint8Array(16)) const k = await crypto.subtle.importKey('raw', pwd, 'PBKDF2', false, ['deriveBits']) console.time(algo) const buf = await crypto.subtle.deriveBits({ iterations: 8388608, salt: new Uint8Array(0), name: 'PBKDF2', hash: algo, }, k, 256) console.timeEnd(algo) } pbkdf2('SHA-256') pbkdf2('SHA-512') ``` FastPBKDF2: ```bash https://github.com/ctz/fastpbkdf2 cd fastpbkdf2 make ./bench 23 ``` Benchmark result (MacBookPro M1): | | SHA256 (ms) | SHA512 (ms) | |------------|-------------|-------------| | Safari | 1287 | 4816 | | Chrome | 827 | 2855 | | FastPBKDf2 | 580 | 1610 | PBKDF2 is the only API in the Web that allows for a specified cost, so efficiency is very important. Higher performance means that passwords can be iterated more times in the same amount of time, and the attacker has a higher cost to crack. I hope that FastPBKDF2 or similar optimizations will be adopted so that more CPU resources can be used for cryptographic calculations instead of meaningless overhead.