Yeah, over 20 years ago. It's woefully out of date by modern standards.
PBKDF2 doesn't even attempt memory hardness, so there are whole classes of attacks on later generation slow hashing algorithms that don't even apply to PBKDF2 because of how old it is. Argon2 is extremely resistant to Time-Memory-Trade-Off (TMTO) attacks, which older algorithms like bcrypt and scrypt are vulnerable to.
PBKDF2 is essentially a linear slowdown, which is effectively pointless these days.
bcrypt and scrypt, the successors to PKDF2, are both more than a decade old.
RSA is half a century old and it's still up to date by modern standards. In fact nobody has came up with anything better.
Edit: Actually, bcrypt might be as far as 1999, possibly older than PBKDF2.
RSA is currently a minefield of gotchas and few security companies even get it right. Just generating a good key is actually a very difficult task. It is also very computationally slow and has many practical issues for the level of security it provides.
There are many superior replacements in both pqc and elliptic spaces. I would take EdDSA over rsa-pss any day of the week.
Why does it have to be linear? Just use 1M irritations today, 2M irritations next year, 4M irritations the year after that, and you'll have an exponential version of it.
You can even take your 1M irritated hashes from this year and execute an additional 1M more irritations on them to update them to 2M irritations when you want to upgrade.
