This page uses content from Wikipedia and is licensed under CC BY-SA.
In cryptography, a pepper is a secret added to an input such as a password prior to being hashed with a cryptographic hash function. As of 2017, NIST recommends using a secret input when storing memorized secrets such as passwords.
A pepper performs a comparable role to a salt, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately (e.g. in a configuration file) to prevent it from being obtained by the attacker in case of a database breach. Where the salt only has to be long enough to be unique, a pepper has to be secure to remain secret (at least 112 bits is recommended by NIST), otherwise an attacker only needs one known entry to crack the pepper. Finally, the pepper must be generated anew for every application it is deployed in, otherwise a breach of one application would result in lowered security of another application.
A pepper adds security to a database of salts and hashes because unless the attacker is able to obtain the pepper, they cannot crack a single hash, no matter how weak the original password. If a strong hashing algorithm is not selected, an attacker can brute force the hashes and recover weak passwords. The encryption equivalent of a pepper is the encryption key. By including pepper in the hash, one can have the advantages of both methods: uncrackable passwords so long as the pepper remains unknown to the attacker, and even in the case the pepper is breached, an attacker still has to crack the hashes. For comparison, when encrypting passwords, anyone with knowledge of the encryption key (including system administrators) can instantly decrypt all passwords; hence, it is always recommended to hash passwords instead of encrypting them, even when not using a pepper.
Here is an incomplete example of using a constant pepper when storing passwords. This first table has two username and password combinations.
The password is not stored, and the 8-byte (64-bit) pepper 44534C70C6883DE2 is stored in a secure location separate from the hashed values.
|Username||String to be Hashed||Hashed Value = SHA256 (Password + Pepper)|
In contrast to a salt, a pepper does not on its own protect against identifying users who have the same password, but it does protect against both dictionary attacks and brute-force attacks so long as the attacker does not have the pepper value.
... verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier ...