PKCS5 is nice where it can be implemented. Let's say your password is "a". Normally passwords are hashed before they are used, so "a" is really translated to "3f786850e387550fdab836ed7e6dc881de23001b" PCKS5 follows this logic out thousands of iterations, a .... 3f786850e387550fdab836ed7e6dc881de23001b .... 782338a30a2f5c1eef41288a9dddbb22751dc65f .... 7feee70fbd24f8c460d034f0c5fcfeab12b8e77b .... etc and uses the 5,000th (or whatever) hash value as the key. If you use plain old single iteration hashing to obtain the key, the attacker only needs to hash "a" once to see if a is your password, with PKCS5 systems they need to keep hashing 5,000 times before they can see if "a" was the password. Now a normal PC can quickly find the 5,000th hash that starts with "a" as the input, but when you are testing a and then b and then c ... aa ab ac .... etc....it really adds up and it greatly increases the time required for an attacker to brute force or dictionary attack a password, since by the time they find the 5000th hash that starts with "a" they would have been able to try 4,999 other passwords if you used just a single hash of the password. Nothing stops you from making them iteratively hash out your password hundreds of thousands of times, other than the fact that you may not want to wait hours for your password to work . But in theory it could take a year to bruteforce the password "a", it would just take you a year to be able to use it yourself as well . Of course if your password is b and they start at a it will take them two years to brute force it and you can use it once every year !!