Salt
A “salt” is a random string that is added to a password before it undergoes the hashing process. The primary purpose of salting is to add uniqueness to each hashed password, even when two users have identical passwords.
Pepper
Pepper is a secret value added to the password before encryption. But pepper is not stored with user records. Instead, the pepper is a fixed value (or a set of values) used across the system. Pepper is kept private and away from the user/password records. Pepper is often hard-coded into the application or stored in a secure configuration file.
source: https://little-fire.com/salt-and-pepper-in-password-cryptography/
Combining the password with the pepper value means that even if the attacker has the hash and the salt, they still won’t have enough information to be able to easily get the original password back out.
It’s impossible to change a pepper value without forcing every user to reset their password.
source: https://www.baeldung.com/cs/password-salt-pepper
Further reading: Password Storage Cheat Sheet
No comments:
Post a Comment