A pepper or secret salt in cryptographic terms means “a secret added to an input such as a password during hashing with a cryptographic function” that is not stored with the hash itself.
Phani Karen wrote an article recently advocating using this method (which he refers to as “double-blind” and “horcruxing” for some reason) to increase the security of passwords stored in a password manager.
Karen’s recommendation goes something like this.
- Select an arbitrary (ideally random) short word or phrase. Let’s use kraken, for example.
- When you set up a password on an account, the password takes the form of password–kraken (where password is a randomly generated password or passphrase).
- In your password manager, you only store password.
- So when you revisit the site, you copy password and then manually append -kraken
The claimed advantage of doing this is that if your password manager is ever compromised, your accounts are still safe unless someone is able to guess the -kraken password stem that is not stored in the password manager.
Karan refers to this as implementing a defense in depth approach, where multiple security layers are used to mitigate damage.
I would not recommend this approach for a number of reasons.
First, it increases the pieces of information you need to know to use your password manager. Currently, I need to know my username and password to access my accounts using Bitwarden. A system like this adds a third piece of information I need to memorize.
Maybe for the intended audience, that’s not a big deal, but given how many people struggle to understand and use a password manager in the first place, anything that adds more friction to that process is to be avoided.
Second, this is exacerbated by the fact that it would likely prove difficult to keep the secret salt secret for very long.
Currently, I have about 300 accounts stored in Bitwarden, all with unique passwords. Suppose I had been adding a secret salt to my passwords for the last 5 years. In that time, about 6 of the accounts that I have were part of public breaches.
I quickly changed those passwords once I was aware of the breach. Still, if I had been using a secret salt, anyone who breached my Bitwarden account would easily be able to go back and find one of those outdated, unused passwords and quickly see a secret salt pattern in there.
The only way to guarantee my secret salt stayed secret would be to change that salt every time I was aware of a public breach, which would mean updating hundreds of uncompromised accounts, which turns my password system’s complexity up to 11.