Edit - Information Security Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

1

I would argue that if adding a pepper means append the pepper directly to the password and then hash it. It's useless and Dave's bad algo wins under this situation.

Rick
– Rick

2019-07-01 11:41:42 +00:00
Commented Jul 1, 2019 at 11:41
1

@Rick Why would it be useless?

Anders
– Anders

2019-07-01 11:44:47 +00:00
Commented Jul 1, 2019 at 11:44
8

@Rick Yes, a pepper should be secret, and not stored in the database. So it is protecting against exactly the situation you describe - database leaked, code not leaked. That is what a pepper is for, so you can't compare it to increasing the length of the salt.

Anders
– Anders

2019-07-01 11:51:47 +00:00
Commented Jul 1, 2019 at 11:51
1

@Rick I'm not taking any position on how to mix in the pepper - that is outside the scope of this quesiton.

Anders
– Anders

2019-07-01 11:53:29 +00:00
Commented Jul 1, 2019 at 11:53
1

@Rick Question remains: Why would a pepper be useless?

Anders
– Anders

2019-07-01 11:53:58 +00:00
Commented Jul 1, 2019 at 11:53

| Show 2 more comments

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author