The current default set of parameters (in `$wgPasswordConfig`) used when hashing a new password using PBKDF2 is:

'pbkdf2' => [ 'class' => 'Pbkdf2Password', 'algo' => 'sha256', 'cost' => '10000', 'length' => '128', ],

The output length ("length") is 128 bytes * 8 bits/byte = 1024 bits, which is 4 times the output length of SHA-256. This means 4 PBKDF2 output blocks are used.

Because we are not trying to generate a 1024-bit encryption key, the time spent generating three additional output blocks perhaps could be better spent in additional iterations ("cost"). In PBKDF2, the output blocks are generated independently, so the function is trivially parallelizable for multiple blocks. And for password cracking, it is only necessary to compute and check the first block for each guess.

So we should seriously consider using the output length of the hash function (32 bytes) and possibly increasing "cost" to a higher number like 10000 * 4 = 40000 by default, and 64000 * 4 = 256000 for Wikimedia.