Learning Password Security Jargon: Password Peppering

We already discussed why keeping passwords in plaintext is a monumentally bad idea. To meet the bare minimum cybersecurity standards, service providers must keep your credentials in the hashed form. Some go even further and put a little seasoning — a salt — to a password before hashing it. But there’s another way to increase password protection — and that’s peppers.

What is a password pepper?

A pepper is a secret value added to a password before hashing. It can be considered a second salt — another input to change the hash outcome completely. Yet, unlike a salt, it’s not stored in the database along with the hashes. But why do we need salts and peppers in the first place?

The common security practice is running passwords through a one-way function called hashing — never storing them in plaintext. The hashing algorithm takes the data and translates it to a completely different, unrecognizable set of characters — a password hash. When you’re trying to log in, your password hash is compared to the one in the database. If they match, you log in successfully.

The problem is that cybercriminals can run common passwords through the exact same algorithms. Once they see a hash match, they know the original password. So to protect your passwords from dictionary attacks (guessing existing words) and rainbow tables (precomputed hash databases) cryptographers add salts.

A salt is a random string of characters added to your password to make the hash outcome completely different. So a hacker can't simply look up the hash value for a password ‘greentrees’, since a salt would turn it into something like ‘greentreesF&i$#u’. The criminal would have to use brute-force — guess every possible combination for each password, significantly slowing down the hacking process.

A pepper is similar to a salt — a random bit of data added to the password before it’s hashed through an algorithm. But unlike a salt, it’s not kept in the database along with the hash value. Instead, it’s usually hardcoded into the website’s source code.

Pros and cons

The biggest advantage of a pepper is the fact that it’s not kept in the database. So in the case of a data breach, even with access to all the hashed passwords, the attacker would still need to brute-force the database.

However, since the pepper is hardcoded, it’s usually the same bit of data for each password, and it can’t be changed. So following a data breach, the pepper might be more trouble than it’s worth. Additionally, the majority of advanced hashing algorithms are intended to be used with salts. So the implementation of peppers might be a bit impractical.

At the end of the day, one thing remains clear — always use strong, complicated passwords. You can never be sure about the security of the hashing algorithm used by your service provider. And passwords like your pet’s name or your favorite movie are always the first ones to be cracked.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.