diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go
index 08953a6d..a58c72c9 100644
--- a/dataprovider/dataprovider.go
+++ b/dataprovider/dataprovider.go
@@ -954,15 +954,11 @@ func comparePbkdf2PasswordAndHash(password, hashedPassword string) (bool, error)
 		return false, fmt.Errorf("pbkdf2: hash is not in the correct format")
 	}
 	var hashFunc func() hash.Hash
-	var hashSize int
 	if strings.HasPrefix(hashedPassword, pbkdf2SHA256Prefix) {
-		hashSize = sha256.Size
 		hashFunc = sha256.New
 	} else if strings.HasPrefix(hashedPassword, pbkdf2SHA512Prefix) {
-		hashSize = sha512.Size
 		hashFunc = sha512.New
 	} else if strings.HasPrefix(hashedPassword, pbkdf2SHA1Prefix) {
-		hashSize = sha1.Size
 		hashFunc = sha1.New
 	} else {
 		return false, fmt.Errorf("pbkdf2: invalid or unsupported hash format %v", vals[1])
@@ -972,11 +968,12 @@ func comparePbkdf2PasswordAndHash(password, hashedPassword string) (bool, error)
 		return false, err
 	}
 	salt := vals[3]
-	expected := vals[4]
-	df := pbkdf2.Key([]byte(password), []byte(salt), iterations, hashSize, hashFunc)
-	buf := make([]byte, base64.StdEncoding.EncodedLen(len(df)))
-	base64.StdEncoding.Encode(buf, df)
-	return subtle.ConstantTimeCompare(buf, []byte(expected)) == 1, nil
+	expected, err := base64.StdEncoding.DecodeString(vals[4])
+	if err != nil {
+		return false, err
+	}
+	df := pbkdf2.Key([]byte(password), []byte(salt), iterations, len(expected), hashFunc)
+	return subtle.ConstantTimeCompare(df, expected) == 1, nil
 }
 
 // HideUserSensitiveData hides user sensitive data
diff --git a/sftpd/sftpd_test.go b/sftpd/sftpd_test.go
index 249d1425..b83195c1 100644
--- a/sftpd/sftpd_test.go
+++ b/sftpd/sftpd_test.go
@@ -2514,12 +2514,12 @@ func TestPasswordsHashPbkdf2Sha256(t *testing.T) {
 	user.Password = pbkdf2ClearPwd
 	client, err := getSftpClient(user, usePubKey)
 	if err != nil {
-		t.Errorf("unable to login with pkkdf2 sha1 password: %v", err)
+		t.Errorf("unable to login with pkkdf2 sha256 password: %v", err)
 	} else {
 		defer client.Close()
 		_, err = client.Getwd()
 		if err != nil {
-			t.Errorf("unable to get working dir with pkkdf2 sha1 password: %v", err)
+			t.Errorf("unable to get working dir with pkkdf2 sha256 password: %v", err)
 		}
 	}
 	user.Password = pbkdf2Pwd
@@ -2547,12 +2547,12 @@ func TestPasswordsHashPbkdf2Sha512(t *testing.T) {
 	user.Password = pbkdf2ClearPwd
 	client, err := getSftpClient(user, usePubKey)
 	if err != nil {
-		t.Errorf("unable to login with pkkdf2 sha1 password: %v", err)
+		t.Errorf("unable to login with pkkdf2 sha512 password: %v", err)
 	} else {
 		defer client.Close()
 		_, err = client.Getwd()
 		if err != nil {
-			t.Errorf("unable to get working dir with pkkdf2 sha1 password: %v", err)
+			t.Errorf("unable to get working dir with pkkdf2 sha512 password: %v", err)
 		}
 	}
 	user.Password = pbkdf2Pwd