Properly Salting Passwords, The Case Against Pepper

April 20, 2012

Anthony Ferrara, creator of the PHP PasswordLib library, just recently posted a discussion of using salts and pepper to improve the security of a stored password. Mostly, the article is a discussion of why a pepper is unnecessary (and if you don’t know what a “pepper” is, just read the article), but the posting also does a good job of explaining the purpose of a salt, and why the salt does not need to be a secret. The posting is relatively short, and is something I think everyone can benefit from reading.

The posting ends with the most important security fact:

Remember, the most dangerous kind of security is a false sense of it. Thinking you’ve made your application more secure, when in fact you’ve weakened it, is the worst thing you could possibly do.