IMO there is really no reason to use PBKDF2 anymore. Use argon2 unless you, for some reason, do not have WASM support (very old browsers), in that case use scrypt. Happy to hear other opinions about this, but this is my stance.
To back this up, here is what OWASP says on the topic:
- Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
- If Argon2id is not available, use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
- For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
- If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.
Speaking of which, I might do another pull request to raise the default PBKDF2 iterations to 310000. Anyways, be assured the minimums for scrypt (and argon2) are such that a user cannot pick an insecure configuration.
Dashlane uses Argon2d which is a bit more cracking resistent but weak to side channel.