Highest Voted 'pepper' Questions - IT Security Stack Exchange

9

votes

1 answer

In-memory pepper

As far as I understand, a problem with the idea of a pepper is that, if it's stored as part of your code, then the hacker can read it if they can access your code. So I was wondering, would it not be better to store the pepper in memory? I'm…

memory pepper

asked Aug 04 '20 at 14:48

rid

327
2
7

5

votes

2 answers

Appending a secret (pepper) to Argon2 password hashes

I've read quite a bit of the StackExchange and HackerNews debates on the user of "peppers" in password hash security. There are a number of different implementations of the idea of a pepper, ranging from an additional hardcoded salt in the code…

passwords hash salt argon2 pepper

asked Mar 26 '19 at 20:39

Prime

472
6
14

5

votes

3 answers

How to securely hash/tokenize a string

A system I'm working on accepts as input a customer account number and needs to generate a token based on it. We're not allowed to store the plain text of the account number itself, so the goal of the token is as follows: Can not be reversed into…

encryption hash credit-card salt pepper

asked Feb 28 '17 at 17:04

crgwbr

103
6

5

votes

2 answers

Hashed passwords storage: iterations vs entropy

Context: A website is hosted on multiple dedicated servers. There are frontend webservers, backend DB servers and other servers between them. The DB holds user's accounts passwords. All connections are secure and the registration/login pages can not…

passwords hash password-management password-cracking pepper

asked Feb 02 '17 at 15:47

HashDoe

53
6

4

votes

3 answers

How is a pepper used with salted passwords?

How is a pepper (a large constant number) used after a password has been salted with a salt by a hashing function such as bcrypt? From Sybex CISSP Official Study Guide, 8th Edition (2018): Adding a pepper to a salted password increases the…

passwords salt bcrypt cissp pepper

asked Nov 13 '18 at 01:31

BJ Dela Cruz

143
5

2

votes

1 answer

Does the use of pepper for passwords violate Kerckhoffs's principle?

Kerckhoffs's second principle: "It should not require secrecy, and it should not be a problem if it falls into enemy hands." Does the use of a pepper for passwords violate this principle, since the pepper is considered to be stored somewhere (code…

passwords pepper

asked Mar 20 '19 at 12:22

AleksanderCH

711
3
10
23

0

votes

1 answer

Encrypting salted password hash before storing in the database

I have read here and here, that instead of using pepper, it is better to encrypt hashed/salted passwords before storing in the database. Especially with Java, as there's no library for salt/pepper, but just for salt hashing, and I'm not going to…

encryption passwords hash salt pepper

asked Aug 11 '20 at 12:49

BbIKTOP

105
5

0

votes

1 answer

Is a constant pepper at risk if an attacker knows the value and hash?

My app is a educational game for elementary schools, involving no money or anything of value, so I am not worried about sophisticated attackers having any interest in this. Still, I would like to follow best practices in case any of this code ever…

exploit validation pepper

asked Jun 21 '18 at 14:15

Joshua Frank

207
1
6

-1

votes

1 answer

Using a Pepper as the index to insert a salt

In this question on this board the author of the selected answer states the following. If you, as an attacker, manage to extract hashes and salts from a database, you probably either find a way to extract the password hashing algorithm of the…

encryption passwords hash salt pepper

asked Feb 11 '20 at 17:24

Morgan Brown

3
1

Questions tagged [pepper]