Peppering isn't just a word related to culinary skills; it is also an important cryptography process in password security. It is essential that passwords are kept safe and secure from the attacks of hackers. Peppering helps to do that. What is peppering, and how does it help keep your passwords safe?

What Is Peppering?

Peppering is a cryptographic process that entails adding a secret and random string of characters to a password before it is salted and hashed to make it more secure. The string of characters added to the password is called a pepper. The pepper changes the hash of a password altogether and makes it immune to brute force attacks and password cracking using dictionary tables and rainbow tables.

How Does Peppering Work?

Peppering is an extra layer of security added to passwords. Think of it as different toppings on a cake. The plain cake is a plaintext password and hashing is the final topping—say, sprinkles. If you put sprinkles directly on the cake, it wouldn't look much good. It's the same with password security.

Just hashing a password isn't secure because the password can easily be cracked. That is why the other toppings, salt and pepper (ironically), make the cake better—as they do with passwords

blue digital lock graphic

So what does it actually mean for a password to be hashed? Hashing is a one-way encryption process in cryptography. Passwords that are hashed are basically scrambled and instead of storing the plaintext passwords in a database, the hashes are stored. When you enter your password, it is hashed and then compared with the hashed password in the database. That's how the system validates your identity.

Just like salting, a pepper is appended to a password to make it more secure. So a password is transformed from just a plaintext password to the hash of a password+salt+pepper. So in the event that a hacker gets access to the salts and/or even the passwords of users, the hacker would be unable to decrypt the hashed password because the pepper changes the hash altogether.

For example, compare the hash of a plain password, a salted password, and a peppered password. Let the password be '1yAm0r1a!', the salt 'eW3dU%', and the pepper 'Am41a?'.

Password Text

Hashed Password

Plaintext Password

1yAm0r1a!

c243787fb465db7b550974bd0801616845c4c36b260ab1e90b5f1524d9babd69

Salted Password

1yAm0r1a!eW3dU%

06b63a0d575ce62e39cc9942ad835f276ac0b959dd04837e007209e274e2fbdb

Peppered password

1yAm0r1a!eW3dU% Am41a?

fb33c3dfc404e9ee22b1ea246cf244e7495128dbc49c6af27a86dc7ee2992553

Can a Pepper Be Used Without a Salt?

Yes, a password can be used without a salt. But this is not ideal for password security. If an attacker gets to know a site's pepper, that site becomes vulnerable to attack because the pepper is used for all the passwords in the database.

What Is the Difference Between Peppering and Salting?

In a way, a pepper is a type of salt. They both make passwords more secure, but they are different. Unlike salts, peppers are secret, static-wide, and not randomly generated.

Peppers Are Not Randomly Generated

salt-pepper-in-shaker

When you sign in to a website and input your password, before it is hashed, a salt is randomly generated for you. This is not the same with peppering.

In peppering, the owner of the site chooses the pepper. The site owner is tasked with the responsibility of ensuring that the pepper chosen is secure and strong enough. Of course, the site owner can choose to use a random value generator to choose a pepper.

Peppers Are Static-Wide

When something is static, it means that it doesn't change. In salting, each salt is generated for every user on the database. But a pepper is used throughout the database. There are no peppers for individual users.

Peppers Are Kept Secret

Unlike salts which can be found in the database of a site, peppers are secret. They are not stored in the database alongside the salts and hashes; that would make peppers pointless.

Instead, peppers are stored in a secure and separate part of the site application. This is important because in the event that a hacker compromises a site and gets access to the passwords and salts of users on that site, they would not be able to crack any passwords because they don't know the pepper.

Choosing a Good Pepper

Choosing a good pepper is as important as choosing a good password. Just like passwords, peppers should be reasonably long, and unique. Remember that a pepper is used throughout the site; if a hacker brute forces or guesses the pepper, your site would be vulnerable. Do not use the name of your site as a pepper. That's the equivalent of using "Password123" as your password.

Another alternative is to use a password generator. There are many password generators online that could be used to choose a good pepper.

Code on a PC screen with padlock symbol

Another method of peppering is to not store the pepper at all. Instead, the pepper is a short string and when a user logs into the site, the system brute forces or runs through a series of possible peppers until the right one is used. This takes a longer time, so a short pepper has to be used.

An easy yet unsecure example of this method is making the pepper alphabetical. When you log in, the site runs through every letter of the alphabet—lower and uppercase—until the pepper is correct.

Although it is typical to use one pepper across a site, it is possible to have more than one at a time. A pepper is assigned randomly to a user at registration from a group of peppers. When that user logs in, every pepper is tried until the one assigned to that user is chosen.

Is Peppering Effective in Boosting Security?

Yes. When a pepper is used with a salt, it is incredibly difficult for a hacker to crack a user's password. Even when users use weak passwords or the same passwords, a hacker would never know because the pepper changes the hash. With peppering, the security of passwords is very much increased.