DEV Community


Discussion on: How to properly store a password in the Database

kalkwst profile image
Kostas Kalafatis

Nice write up!

You could also use a "pepper" in addition to the salt, in order to add an additional layer of protection.

The purpose of the pepper is to prevent an attacker from being able to crack any of the hashes if they only have access to the hash database.

You can hash your password as usual, and then encrypt the hashes using a symmetric key algorithm with the pepper playing the role of the encryption key, without affecting or interacting with the hash or the password itself in any way.

This will provide an additional layer of protection if the password database gets dumped, but also keep the passwords valid if the pepper is considered compromised.

Note that the pepper should not be stored in the database!

pazvanti profile image
pazvanti Author

Indeed, using a pepper is also a good idea. This does add a bit of extra work, so it may depend on the actual use-case of the app if it is worth it. Then again, hardware is quite cheap nowadays. Thanks for pointing it out.