Adding layers of security with password pepper

Justyna Obara
Cybersecurity Content Writer
Password pepper

When it comes to password security, the more layers of protection your personal or business security system has, the better. There is no such thing as a bullet-proof online service; you never know which malicious tactic hackers may employ to access your accounts. Password pepper is yet another additional security layer protecting against brute force attacks, dictionary attacks, and rainbow tables. Read on to find out what a password pepper is, how it works, and how it can improve your cybersecurity.

What is a password pepper?

The password pepper or peppering—as it’s also called—is strictly connected to the password hashing process. Websites don’t store users’ passwords in plain text because it would allow anyone with access to see them. In most cases, users’ passwords are hashed: Encryption algorithms convert them into complicated strings of characters. This way, even if a site’s database gets breached, hackers must decrypt hashes to get hold of users’ credentials.

A pepper is a secret value—a random string of characters—added to a password before hashing. Unlike salt, another cryptographic way of adding an extra layer of security to your password, pepper doesn’t change. Like a chef's secret ingredient, it stays the same across all dishes: user’s online accounts or — if part of the source code— across users’ databases.

How does password peppering work?

The password pepper changes the value that’s being hashed, resulting in a modified and more secure password hash. The pepper can be hard-coded into the website's source code or added manually by the private or business user.

In the first scenario, the online platform's owner chooses the pepper, taking responsibility for the code’s strength and security. The same pepper is used throughout the site’s database: There are no individual password peppers for users. Following a data breach, hard-coded pepper might be more trouble than it’s worth. If cybercriminals gain access to the source code, they could quickly discover the pepper, and it could compromise the hashed passwords. Also, in this setup, changing the breached pepper requires modifying the source code and redeploying the application, which is rather cumbersome.

For the above reasons, we’ll focus on the second scenario: Peppering passwords by hand. It requires setting up a strong, random code — you can use our password generator for it — and keeping it safe, separately from your login credentials. Adding a pepper to your login credentials means that even if you use a robust password manager like NordPass, you’ll still have to memorize your secret code or keep it in another safe place.

Using password peppering to improve your online security

Password peppering can protect your accounts in case your passwords get compromised. The rising numbers of cybercrime—the most lucrative criminal activity nowadays—show that you can never be too careful or introduce too many layers of protection. No online service provider may be completely bullet-proof breach-wise, which is what LastPass learned the hard way at the end of 2022.

Adding a pepper to your passwords has to be done manually, which extends the time needed to access your accounts. It can be annoying, especially if you are used to the seamless login experience, but it will definitely improve your online security.

People are creatures of habit and convenience and tend to ditch the security practices that are too demanding. Hence, we do not recommend peppering all your passwords — pepper the most important ones. Here’s how to do it:

  1. Create a strong and complex pepper you’ll be able to remember.

    You can think of a pepper as a password: the longer and more complex it is, the better. Make it random and use different kinds of symbols. However, don’t go overboard; the best way to keep your pepper safe is to memorize it!

  2. Create your “base password” and store it in your password manager.

    Use a password generator to create a complex string of characters: Let’s call it “your base password.” Now, save it in your password manager’s encrypted vault.

  3. Add password pepper and update passwords to your most important accounts.

    Once you’ve created your base password, add the pepper and that will be your actual new password. Update your most important accounts using it. Now, when logging in, you’ll have to add the pepper every time to access the account.

    Note: You can include the pepper anywhere in the string of characters constituting your base password. However, to avoid overcomplicating it, add it at the beginning or end of your base password.

  4. Don’t store your pepper in the password manager vault.

    The idea behind peppering your passwords is not to keep all your eggs in one basket. Hence, keeping your secret code in your password manager vault doesn’t make sense. If your passwords leak, the pepper leaks as well. To make password peppering work, keep your pepper safe somewhere else, preferably your head.

Password peppering from a business perspective

From a business perspective, password peppering can cause more trouble than it’s worth. It may interrupt the teams’ cooperation and information sharing, extend the time spent on tasks that could easily be automated, and mess up the results of compliance and password security audits.

Let’s look at other security measures more suited to the business environment. Unlike password peppering, they promote transparency and allow immediate response to cyber threats.

  • Password policy

The password policy is a set of rules and guidelines for creating and managing passwords in the organization. It informs employees how long their passwords should be, what kinds of characters they need to include, and how often they should change them. When enforced automatically by the company’s password manager, password policies give business network administrators control over every password used in their company.

  • Password health

Password health metrics track your company's vulnerable passwords. The NordPass Password Health feature provides insight into the weak, older than 90 days, and reused passwords employees rely on. It allows omitting the risk of data breaches connected with weak passwords instead of mitigating the results of hacker attacks.

  • Data Breach Scanner

Data Breach Scanner notifies you in real time about all data leaks related to your company emails and domains. It can be a real game-changer since, according to IBM's 2023 data security report, companies take 277 days on average to identify and contain a breach. If you respond to the security incident at once, chances are cybercriminals won’t have enough time to use the information against your company.

These are pivotal years for password security. We’re witnessing a shift towards a more user-friendly and secure authentication method: passkeys. Passkeys allow access to your online accounts the same way you unlock your smartphone—via fingerprint or face ID. This new technology combines biometric verification with cryptographic keys, reducing the risks of phishing, brute-force attacks, and other cyber threats.

Some of the largest tech giants—including Amazon, Apple, Google, and Meta—have already joined the FIDO Alliance, an industry association created to “solve the world’s password problem.” NordPass is also a part of FIDO and, along with other members, actively promotes passkeys and makes them accessible to users. That’s why our password manager provides you a way to securely store, access, and share passkeys.


Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.