Pepper (cryptography): Difference between revisions

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Pepper" cryptography – news · newspapers · books · scholar · JSTOR (December 2016) (Learn how and when to remove this message) This article needs attention from an expert in Cryptography. Please add a reason or a talk parameter to this template to explain the issue with the article. WikiProject Cryptography may be able to help recruit an expert. (May 2016) (Learn how and when to remove this message)

In cryptography, a pepper is a secret added to an input such as a password prior to being hashed with a cryptographic hash function. A pepper performs a similar role to a salt, but while a salt is stored alongside the hashed output, a pepper is not. A pepper usually meets one of two criteria:

• The pepper is at least as long as the salt and is stored separately from the value to be hashed, often as an application secret.
• The pepper is small and randomly generated for each input to be hashed, and is never stored. To verify whether an input matches, the application iterates through the full set of possible values for the pepper (to avoid timing attacks), testing each resulting hash in turn^{[1][dubious – discuss]}

A pepper adds security to a database of hashes because it increases the number of secret values that must be recovered (whether by brute force or discovery) to recover the inputs.

Here is an incomplete example of using a constant pepper when storing passwords. This first table has two username and password combinations.

The password is not stored, and the 8-byte (64-bit) pepper 44534C70C6883DE2 is stored in a secure location separate to the hashed values.

In contrast to a salt, a pepper does not on its own protect against identifying users who have the same password, but it does protect against dictionary attacks unless the attacker has the pepper value. As a pepper will not be shared between applications, an attacker will be unable to directly match hashes from one leaked database to another.

A complete password storage scheme would typically include a salt and pepper.

• passwd
• Salt (cryptography)