Article · Wikipedia archive · Last revised Jun 3, 2026

Pepper (cryptography)

In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate using another mechanism, such as a Hardware Security Module. Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.

Last revised
Jun 3, 2026
Read time
≈ 6 min
Length
1,369 w
Citations
25
Source
Wikipedia ↗

In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate using another mechanism, such as a Hardware Security Module.1 Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.

A pepper performs a comparable role to a salt or an encryption key, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but, if stored, a pepper must be stored separately to prevent it from being obtained by the attacker in case of a database breach.2

History

The idea of a site- or service-specific salt (in addition to a per-user salt) has a long history, with Steven M. Bellovin proposing a local parameter in a Bugtraq post in 1995.3 In 1996 Udi Manber also described the advantages of such a scheme, terming it a secret salt.4 However, he suggested not storing the value of the secret salt, but instead rediscovering it by trial and error at password verification time. The term pepper has been used, by analogy to salt, but with a variety of meanings. For example, when discussing a challenge-response scheme, pepper has been used for a salt-like quantity, though not used for password storage;5 it has been used for a data transmission technique where a pepper must be guessed;6 and even as a part of jokes.7

The term pepper was proposed for a secret or local parameter stored separately from the password in a discussion of protecting passwords from rainbow table attacks.8 This usage did not immediately catch on: for example, Fred Wenzel added password hashing to Django for storage based on a combination of bcrypt and HMAC with separately stored nonces, without using the term.9 Usage has since become more common.101112

Types

There are multiple different types of pepper:

  • A shared secret that is common to all users.2
  • A randomly-selected number that must be re-discovered on every password input.13

These mechanisms could be combined with password salting, iterated hashing or even one another.1114

Shared-secret pepper

Bellovin and Webster suggest to prepend a shared secret to the password before hashing, which allows easy use of existing hash functions.38 For example, consider two users to be added to a database.

Username Password
user1 password123
user2 password123

This table contains two combinations of username and password. The password is not saved, and the 8-byte (64-bit) 44534C70C6883DE2 pepper is saved in a safe place separate from the output values of the hash, in this case SHA256.

Username Hashing string Hash output value = SHA256 (Password + pepper)
user1 password123+44534C70C6883DE2 D63E21DF3A2A6853C2DC675EDDD4259F3B78490A4988B49FF3DB7B2891B3B48D
user2 password123+44534C70C6883DE2 D63E21DF3A2A6853C2DC675EDDD4259F3B78490A4988B49FF3DB7B2891B3B48D

Unlike the salt, the pepper does not provide protection to users who use the same password, but protects against dictionary attacks, unless the attacker has the pepper value available. Since the same pepper is not shared between different applications, an attacker is unable to reuse the hashes of one compromised database to another. A complete scheme for saving passwords may include both salt and pepper use. For example, it has been suggested to combine the pepper by encrypting salted password hashes, which allows rotation of the pepper.11

In the case of a shared-secret pepper, a single compromised password (via password reuse or other attack) along with a user's salt can lead to an attack to discover the pepper, rendering it ineffective. If an attacker knows a plaintext password and a user's salt, as well as the algorithm used to hash the password, then discovering the pepper can be a matter of brute forcing the values of the pepper. This is why NIST recommends the secret value be at least 112 bits, so that discovering it by exhaustive search is prohibitively expensive.1 The pepper must be generated anew for every application it is deployed in, otherwise a breach of one application would result in lowered security of another application. Without knowledge of the pepper, other passwords in the database will be far more difficult to extract from their hashed values, as the attacker would need to guess the password as well as the pepper.

A pepper adds security to a database of salts and hashes because unless the attacker is able to obtain the pepper, cracking even a single hash is intractable, no matter how weak the original password. Even with a list of (salt, hash) pairs, an attacker must also guess the secret pepper in order to find the password which produces the hash. The NIST specification for a secret salt suggests using a Password-Based Key Derivation Function (PBKDF) with an approved Pseudorandom Function such as HMAC with SHA-3 as the hash function of the HMAC. The NIST recommendation is also to perform at least 1000 iterations of the PBKDF, and a further minimum 1000 iterations using the secret salt in place of the non-secret salt.

Randomly-selected pepper that must be re-discovered

The aim of this mechanism is to slow down the password verification step, thus slowing attacks.414 The aim is similar to increasing the iteration count on bcrypt or Argon2, but the mechanism is different. The secret salt or pepper must be rediscovered by the verifier or attacker each time by guessing.

In this situation, the password hashing function is calculated using both the password and the pepper.414 At password storage time, the pepper is chosen randomly from a range between 1 and R, the hash output is calculated using the password and the pepper. The hash output is stored with the username. The pepper is then discarded. At password verification time, the verifier is provided with a username and password to verify. The originally calculated hash is retrieved for the given username, and then the hash of the password and each value between 1 and R is calculated. If any of these hash values match the stored password hash, the password is considered valid. Note, the possible values of the pepper should not be tested in a fixed order known to an attacker, otherwise a timing attack may reveal the pepper.14 If the password is correct, the correct pepper will be found in R/2 hash evaluations on average. If the password is incorrect, all R values must be tested before the password can be rejected.

See also

See also

References

References

  1. "NIST Special Publication 800-63B". 2022-12-16. Section 5.1.1.2. Retrieved 2023-10-10. ... verifiers SHOULD perform an additional iteration of a keyed hashing or encryption operation using a secret key known only to the verifier
  2. Akhawe, Devdatta (2016-09-21). "How Dropbox securely stores your passwords". Dropbox.tech. Retrieved 2020-11-04.
  3. Bellovin, Steve (1995-04-16). "passwd hashing algorithm". seclists. Retrieved 2020-11-11.
  4. Manber, Udi (1996). "A simple scheme to make passwords based on one-way functions much harder to crack". Computers & Security. 15 (2): 171–176. doi:10.1016/0167-4048(96)00003-x. Retrieved 2020-11-11.
  5. Blake, Ross; Jackson, Collin; Miyake, Nick; Boneh, Dan; Mitchell, John (2005). "Stronger Password Authentication Using Browser Extensions". USENIX Security Symposium: 17–32. Retrieved 2020-11-11.
  6. Schöning, Lars (January 25, 2006). "Hash only (Pepper) data transmission". Newsgroupsci.crypt. Retrieved 2026-05-27.
  7. cyrusthevirus (June 7, 2007). "Bruce Schneier Facts". Newsgroupit.test. Most people salt their hash. Bruce salt and peppers his.
  8. Webster, Craig (2009-08-03). "Securing Passwords with Salt, Pepper and Rainbows". Barking Iguana. Retrieved 2020-11-11.
  9. Wenzel, Fred (2011-03-12). "History for django-sha2/django_sha2/bcrypt_auth.py". Github. Retrieved 2020-11-11.
  10. Patrick Mylund Nielsen (May 30, 2012). "Generating Salt for encryption using golang". golang-nuts (Mailing list).
  11. Duong, Thai (2020-09-05). "Why you want to encrypt password hashes". vnhacker blogspot. Retrieved 2020-11-11.
  12. @Sc00bzT (2020-09-18). "Pepper use to mean "a non-cryptographic salt"" (Tweet) – via Twitter.
  13. "Brute Force Attack on UNIX Passwords with SIMD Computer" (PDF). August 1999.
  14. van Oorschot, Paul (2021). Computer Security and the Internet. Switzerland: Springer. ISBN 978-3-030-83410-4. Retrieved 2026-05-30.
External links