Questions tagged [pepper]
9 questions
9
votes
1 answer
In-memory pepper
As far as I understand, a problem with the idea of a pepper is that, if it's stored as part of your code, then the hacker can read it if they can access your code.
So I was wondering, would it not be better to store the pepper in memory? I'm…
rid
- 327
- 2
- 7
5
votes
2 answers
Appending a secret (pepper) to Argon2 password hashes
I've read quite a bit of the StackExchange and HackerNews debates on the user of "peppers" in password hash security. There are a number of different implementations of the idea of a pepper, ranging from an additional hardcoded salt in the code…
Prime
- 472
- 6
- 14
5
votes
3 answers
How to securely hash/tokenize a string
A system I'm working on accepts as input a customer account number and needs to generate a token based on it. We're not allowed to store the plain text of the account number itself, so the goal of the token is as follows:
Can not be reversed into…
crgwbr
- 103
- 6
5
votes
2 answers
Hashed passwords storage: iterations vs entropy
Context: A website is hosted on multiple dedicated servers. There are frontend webservers, backend DB servers and other servers between them.
The DB holds user's accounts passwords. All connections are secure and the registration/login pages can not…
HashDoe
- 53
- 6
4
votes
3 answers
How is a pepper used with salted passwords?
How is a pepper (a large constant number) used after a password has been salted with a salt by a hashing function such as bcrypt?
From Sybex CISSP Official Study Guide, 8th Edition (2018):
Adding a pepper to a salted password increases the…
BJ Dela Cruz
- 143
- 5
2
votes
1 answer
Does the use of pepper for passwords violate Kerckhoffs's principle?
Kerckhoffs's second principle:
"It should not require secrecy, and it should not be a problem if it falls into enemy hands."
Does the use of a pepper for passwords violate this principle, since the pepper is considered to be stored somewhere (code…
AleksanderCH
- 711
- 3
- 10
- 23
0
votes
1 answer
Encrypting salted password hash before storing in the database
I have read here and here, that instead of using pepper, it is better to encrypt hashed/salted passwords before storing in the database. Especially with Java, as there's no library for salt/pepper, but just for salt hashing, and I'm not going to…
BbIKTOP
- 105
- 5
0
votes
1 answer
Is a constant pepper at risk if an attacker knows the value and hash?
My app is a educational game for elementary schools, involving no money or anything of value, so I am not worried about sophisticated attackers having any interest in this. Still, I would like to follow best practices in case any of this code ever…
Joshua Frank
- 207
- 1
- 6
-1
votes
1 answer
Using a Pepper as the index to insert a salt
In this question on this board the author of the selected answer states the following.
If you, as an attacker, manage to extract hashes and salts from a database, you probably either find a way to extract the password hashing algorithm of the…
Morgan Brown
- 3
- 1