A key derivation function turns a human password into a cryptographic key that a system can use to encrypt or decrypt data. It does more than a simple hash: a good KDF adds a unique salt and a tunable cost, often with many CPU or memory steps, so each password guess is expensive. Common examples include Argon2, scrypt, and PBKDF2.
KDFs matter because passwords are weak secrets, but encryption keys must be hard to guess. In password managers and other zero-knowledge systems, the master password is fed through a KDF before vault encryption, so stealing an encrypted vault does not instantly expose its contents. Attackers who get ciphertext may try offline brute force; a strong KDF slows that work and raises the cost of guessing. Defenders use KDF settings, rate limiting, and strong password policies together, because a weak KDF can make password theft and credential cracking much easier.



