Cryptography
Pepper
Also known as: Server-side key, Secret pepper
Definition
A server-side secret combined with each password before hashing, held separately from the database to mitigate offline cracking after a hash leak.
Examples
- HMAC-SHA-256(pepper, password) computed in the application, then hashed with Argon2id.
- Storing the pepper in an HSM so the application cannot exfiltrate it directly.
Related terms
Salt
A unique random value combined with a password before hashing to defeat rainbow tables and ensure each user's hash is distinct.
Argon2
A modern memory-hard password hashing function and KDF, winner of the 2015 Password Hashing Competition and specified in RFC 9106.
Key Derivation Function (KDF)
A cryptographic function that derives one or more strong cryptographic keys from a secret input such as a password, shared secret or master key.
HMAC
A keyed Message Authentication Code construction built on top of a cryptographic hash function, defined in RFC 2104 and FIPS 198-1.
bcrypt
An adaptive password-hashing function based on the Blowfish cipher with a tunable cost factor, designed by Provos and Mazières in 1999.
Cryptographic Key
A high-entropy secret or public value that parameterizes a cryptographic algorithm to encrypt, decrypt, sign or authenticate data.