This page uses content from Wikipedia and is licensed under CC BY-SA.
In cryptography, a pepper is a secret added to an input such as a password prior to being hashed with a cryptographic hash function. A pepper performs a similar role to a salt, but while a salt is stored alongside the hashed output, a pepper is not. A pepper usually meets one of two criteria:
A pepper adds security to a database of hashes because it increases the number of secret values that must be recovered (whether by brute force or discovery) to recover the inputs.
Here is an incomplete example of using a constant pepper when storing passwords. This first table has two username and password combinations.
The password is not stored, and the 8-byte (64-bit) pepper 44534C70C6883DE2 is stored in a secure location separate to the hashed values.
|Username||String to be Hashed||Hashed Value = SHA256(Password + Pepper)|
In contrast to a salt, a pepper does not on its own protect against identifying users who have the same password, but it does protect against dictionary attacks unless the attacker has the pepper value. As a pepper will not be shared between applications, an attacker will be unable to directly match hashes from one leaked database to another.
A complete password storage scheme would typically include a salt and pepper.