Glossary
Pepper (Cryptography)
A pepper is a secret value added to passwords before hashing, kept outside the database so that a database-only breach cannot crack the stored hashes.
A pepper is a secret value mixed into passwords before (or after) hashing, like a salt — but unlike a salt it is kept secret and stored outside the password database, in application configuration, a secrets manager, or a hardware security module (HSM).
The point is defense in depth: if an attacker steals only the database, they still lack the pepper and cannot mount an offline cracking attack against the hashes. A pepper is often applied by computing an HMAC of the password with the pepper as the key, then feeding the result into the password hash.
Trade-offs: a pepper is usually global (not per-user), it must be rotated carefully, and it does not replace a salt or a slow work factor — it complements them. See password hashing done right for how salts, peppers, and KDFs fit together.