securityhashpasswordssalt-cryptographypassword-hash

Best Practices: Salting & peppering passwords?


I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like:

hash_function($salt.hash_function($pepper.$password)) [multiple iterations]

Ignoring the chosen hash algorithm (I want this to be a discussion of salts & peppers and not specific algorithms but I'm using a secure one), is this a secure option or should I be doing something different? For those unfamiliar with the terms:

Is there anything I'm missing and is salting & peppering my passwords the best option to protect my user's security? Is there any potential security flaw to doing it this way?

Note: Assume for the purpose of the discussion that the application & database are stored on separate machines, do not share passwords etc. so a breach of the database server does not automatically mean a breach of the application server.


Solution

  • Ok. Seeing as I need to write about this over and over, I'll do one last canonical answer on pepper alone.

    The Apparent Upside Of Peppers

    It seems quite obvious that peppers should make hash functions more secure. I mean, if the attacker only gets your database, then your users passwords should be secure, right? Seems logical, right?

    That's why so many people believe that peppers are a good idea. It "makes sense".

    The Reality Of Peppers

    In the security and cryptography realms, "make sense" isn't enough. Something has to be provable and make sense in order for it to be considered secure. Additionally, it has to be implementable in a maintainable way. The most secure system that can't be maintained is considered insecure (because if any part of that security breaks down, the entire system falls apart).

    And peppers fit neither the provable or the maintainable models...

    Theoretical Problems With Peppers

    Now that we've set the stage, let's look at what's wrong with peppers.

    Significant Problems With Peppers

    The Better Way

    So, out of all the problems detailed above, there are two ways of handling the situation.

    TL/DR

    Don't use peppers. There are a host of problems with them, and there are two better ways: not using any server-side secret (yes, it's ok) and encrypting the output hash using a block cipher prior to storage.