diff --git a/stapler/token_manager.py b/stapler/token_manager.py
index a1b1982..3495265 100644
--- a/stapler/token_manager.py
+++ b/stapler/token_manager.py
@@ -15,6 +15,7 @@ class TokenManager:
     __slots__ = [
         "last_file_change",
         "logger",
+        "pbkdf2_iterations",
         "registry",
         "token_hashes",
         "token_salt",
@@ -23,11 +24,14 @@ class TokenManager:
 
     FILE = ".tokens"
 
-    def __init__(self, params: Parameters, registry: Registry) -> None:
+    def __init__(
+        self, params: Parameters, registry: Registry, pbkdf2_iterations: int = 500_000
+    ) -> None:
         self.logger: logging.Logger = logging.getLogger(self.__class__.__name__)
-        self.token_salt: str = params.token_salt
+        self.token_salt: bytes = params.token_salt.encode()
         self.tokens_file: pathlib.Path = pathlib.Path(params.data_dir) / self.FILE
         self.registry: Registry = registry
+        self.pbkdf2_iterations: int = pbkdf2_iterations
         self.token_hashes: list[str] = []
         self.last_file_change: int | float = 0
 
@@ -71,9 +75,9 @@ class TokenManager:
         return False
 
     def __hash_token(self, token: str) -> str:
-        return hashlib.sha512(
-            (self.token_salt + token).encode(), usedforsecurity=True
-        ).hexdigest()
+        return hashlib.pbkdf2_hmac(
+            "sha256", token.encode(), self.token_salt, self.pbkdf2_iterations
+        ).hex()
 
     def __load_hashes(self) -> list[str]:
         if self.tokens_file.is_file():
diff --git a/tests/test_token_manager.py b/tests/test_token_manager.py
index 951f885..39998ec 100644
--- a/tests/test_token_manager.py
+++ b/tests/test_token_manager.py
@@ -11,9 +11,9 @@ from . import BaseTestCase
 
 
 class TestTokenManager(BaseTestCase):
-    EMPTY_SALT_HASH = "a04ca803c9fd73c21b721ece14b8b30cd3d9ca1bff752904a46982b881e152d0cdaa463a32e6bce71408de611953bc304ca8000d40d4b06b3f2a70769f69fecc"
-    SALT_HASH = "a5f2d8785eb4f064eae60f94e6025f93be32c2c93d2bbd73a982ee5c7ebcc484536487a4f60cfdfcb9ba72da7cebe0ce11afa91f191272e51d8c14be6874824b"
-    SECRET_HASH = "9901847ff8c76bd5fb473b7bd2e4f4ddd110332a52a888fd69deb276613885ddf382e5cf1210ed0decdb8010ae3994331a9e0639c3ca7e9e8b110dd50978ce76"  # noqa: S105
+    EMPTY_SALT_HASH = "5f88941ac5e26c430d97411ac1103af7a35c753f14aec088fbf34801c099135a"
+    SALT_HASH = "d71b1f52657c77d00b2a8c59b8d12d13c1c1bb2bcfbb85d2a9b804c36ad57a70"
+    SECRET_HASH = "38df428b309308e48c3687e7f90bda0e9cf253568c21ec754a0e076ab4ab6423"  # noqa: S105
 
     @typing.override
     def setUp(self) -> None:
@@ -21,6 +21,7 @@ class TestTokenManager(BaseTestCase):
         self.token_manager = TokenManager(
             Parameters(data_dir=self.get_tmp_dir(), token_salt="salt"),  # noqa: S106
             self.registry,
+            pbkdf2_iterations=1,
         )
         self.token_manager.logger = unittest.mock.Mock(logging.Logger)
         self.tmp_tokens_file = self.tmp_path / TokenManager.FILE
@@ -34,7 +35,7 @@ class TestTokenManager(BaseTestCase):
         self.assertListEqual(self.token_manager.token_hashes, [])
 
     def test_init_weak_salt(self) -> None:
-        self.token_manager.token_salt = ""
+        self.token_manager.token_salt = b""
         self.seal_mocks()
         self.token_manager.init()
         self.assert_file_content(