Memorized peppers are one of the oldest 2FA tricks up the sleeves of password manager users.
The Good
As long as you had a few 8- to 12-character peppers memorized and manually added to autofilled passwords, you had some assurances against a leaked master password.
The Bad and the Ugly
However, with the ongoing wide adoption of passkeys, that is no longer the case because:
- As an offline password manager user, your leaked master password and a copy of your password database would grant attackers access to your stored passkeys and therefore, your online accounts unless you've setup an alternative 2FA method for the database.
The same applies to cloud-based password manager users except, instead of their password database file, an attacker would need their password manager's URL and username in addition to their master password.
- Unlike password authentication methods where the user has total control of the password generation process, you don't get to manually generate passkeys.
- Each passkey is unique, and it'll be quite a hassle to 1.) memorize a section of the keys; 2.) manually add the memorized fragments to your private key before authenticating to a passkey service for each login.
Am I saying You shouldn't adopt Passkeys?
Hell no, passkeys are awesome!
This post is aimed at pointing out how memorizing your password pepper for website X might be futile if you have saved passkeys of website X in the same password vault/database.
What You should do instead...
Consider adding an alternative 2FA method such as a key file or TOTP to your password manager. If you aren't using passkeys for a given platform (yet), then manually adding a pepper to its autofilled password might still serve as a 3rd factor auth mechanism.
Do you still memorize your password peppers? Am I maybe overreacting because am paranoid? What do you think about passkeys? Will you finally stop memorizing password peppers? Tell me all about it in the comments section!
Top comments (0)