Adding a pepper
There is only so much we can do to stop our users using simple passwords. We should always have a policy of what constitutes a good password—minimum length, a mixture of case, the addition of symbols, and so on—but usability can be compromised the more complex the password gets. Adding a pepper, however, can help to slow the attacker down: the pepper (or peppers) are known to the system, but not stored with the password and salt. They can be hardcoded into the application code, stored as launch configuration, or stored in a secure vault that is accessed at runtime. In the same way we appended the salt to the user's password, we do the same thing with the pepper. Should the database tables become compromised due to a SQL injection ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access