
Salt and Pepper, please: a note on password storage - FiloSottile
https://filippo.io/salt-and-pepper/
======
akerl_
No. It's just as easy to actually use proper password storage
(bcrypt/scrypt/etc, as the article note). Store passwords properly, and
there's no need to pad on "pepper" or whatever cute word is picked next.

~~~
FiloSottile
You understand that you add this _on top_ of bcrypt/scrypt/etc, don't you?
Have a look at the code.

Also, "pepper" is its name, and has been for a while.

Did I word the article that badly?

EDIT: "properly" does not mean absolute optimal, it's dangerous to think that
it's not possible to improve.

~~~
akerl_
If I'm using bcrypt or scrypt, adding the pepper buys me next to nothing. The
only case where the pepper improves security is if I'm not crypting the
passwords properly before storing them.

~~~
FiloSottile
I think I address this in the article.

If an attacker gets the DB dump of your "perfectly crypted" passwords, they
can still bruteforce the easy ones (or sites would not tell users to change
passwords, no?) while with pepper it would be really impossible.

