diff --git a/Gemfile b/Gemfile
index f2958daab9d..72cc4660cb0 100644
--- a/Gemfile
+++ b/Gemfile
@@ -71,8 +71,6 @@ gem "rails_multisite"
 
 gem "fast_xs", platform: :ruby
 
-gem "xorcist"
-
 gem "fastimage"
 
 gem "aws-sdk-s3", require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index 0063bec6aab..aaace45fcfa 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -514,7 +514,6 @@ GEM
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.7.0)
     websocket (1.2.9)
-    xorcist (1.1.3)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     yaml-lint (0.1.2)
@@ -666,7 +665,6 @@ DEPENDENCIES
   webdrivers
   webmock
   webrick
-  xorcist
   yaml-lint
   yard
 
diff --git a/lib/pbkdf2.rb b/lib/pbkdf2.rb
index 5546e64d671..385ca5963eb 100644
--- a/lib/pbkdf2.rb
+++ b/lib/pbkdf2.rb
@@ -1,28 +1,13 @@
 # frozen_string_literal: true
 
-# Note: This logic was originally extracted from the Pbkdf2 gem to fix Ruby 2.0
-# issues, but that gem has gone stale so we won't be returning to it.
-
-require "openssl"
-require "xorcist"
-
 class Pbkdf2
-  def self.hash_password(password, salt, iterations, algorithm = "sha256")
-    h = OpenSSL::Digest.new(algorithm)
-
-    u = ret = prf(h, password, salt + [1].pack("N"))
-
-    2.upto(iterations) do
-      u = prf(h, password, u)
-      Xorcist.xor!(ret, u)
-    end
-
-    ret.bytes.map { |b| ("0" + b.to_s(16))[-2..-1] }.join("")
-  end
-
-  protected
-
-  def self.prf(hash_function, password, data)
-    OpenSSL::HMAC.digest(hash_function, password, data)
+  def self.hash_password(password, salt, iterations, algorithm = "sha256", length: 32)
+    OpenSSL::KDF.pbkdf2_hmac(
+      password,
+      salt: salt,
+      iterations: iterations,
+      length: length,
+      hash: algorithm,
+    ).unpack1("H*")
   end
 end