What are salt and pepper in password hashes?
Salt and Pepper are additional protection mechanisms for password hashes. They make mass attacks more difficult and improve resilience in the event of leaks.
What Salt does
Salt is an additional value that is introduced per password or per user before the hash is calculated. This means that identical passwords do not automatically generate the same hash values.
This makes pre-calculated tables and mass comparisons significantly less effective.
How Pepper is different
- Pepper is typically an additional secret value outside of the actual password database.
- It is intended to prevent a pure database theft from being sufficient to attack all hashes equally well.
- Pepper complements Salt, but does not replace him.
Why this counts for real leaks
Hashing without salt is not sufficient today. Even if a hashing method has been chosen correctly, salt and often also pepper increase the resistance to systematic evaluation.
It is still important for users: strong and unique passwords are the first layer of defense.
Quick checklist
The most important actions from this guide in compact form.
- When developing, treat salt as a basic requirement.
- Only use Pepper with clean key management.
- Don't assume that good server storage compensates for bad user passwords.
Common questions
Create a strong password now
Use the Zenkey.click generator to create a strong random password or a secure passphrase right away.
Argon2 vs. bcrypt vs. scrypt: Which method protects passwords better?
If you want to keep going, this is the next guide to read.
Argon2, bcrypt and scrypt are password hashing methods with different strengths. Modern systems often rely on Argon2 if the environment supports it properly.