Passwords are the keys to user accounts. Proper protection transforms them into a form that is useless to attackers, even if the database is compromised. Here is a recipe to secure passwords using hash, salt, and pepper - the essential ingredients for keeping accounts safe.
Passwords alone are fragile ⛓️💥
Many people reuse passwords across multiple sites, so a single breach can have widespread consequences. Simple or common passwords are easy for attackers to guess, and stolen passwords can give direct access to user accounts.
To protect accounts effectively, additional measures must be applied to make passwords resilient against attacks.
To build strong password security, the following components are essential:
apple123What it does: Turns a password into a secret code that cannot be reversed.
Example:
apple123$2b$10$N9qo8uLOickgx2ZMRZoMyeIjefO6JaPDmvvse.lX5C6P3UnPxGRu✅ Why it's safer:
❌ Remaining risks:
Note: Use strong, adaptive hashing algorithms like PBKDF2, Argon2, bcrypt and scrypt
What it does: Adds a unique random value to each password before hashing.
Example:
apple123blue$2b$10$KmH8vN3pQ9wR2sT5uV7xYzA1bC2dE3fG4hI5jK6lM7nO8pQ9rS0tUAnother user with the same password:
green$2b$10$ZxY9wV8uT7sR6qP5oN4mL3kJ2iH1gF0eD9cB8aZ7yX6wV5uT4sR3q✅ Why it's safer:
❌ Remaining risks:
Note: Store the salt with the hash in the database (usually in the same record). It does not need to be secret.
What it does: Adds a secret ingredient only the system knows, applied on top of the password + salt before hashing.
Example:
apple123blue!@#secret$2b$10$FgH9iJ0kL1mN2oP3qR4sT5uV6wX7yZ8aB9cD0eF1gH2iJ3kL4mN5o✅ Why it's safer:
❌ Remaining risks:
Note: Keep the pepper secret and separate from the database (environment variables, secure vaults, etc.).
Important: Changing the pepper requires re-hashing all passwords, so it should be rarely changed and carefully managed.
✅ What to store:
❌ What NOT to store:
Think of this step like plating your dish before serving - the “dish” (hash + salt) is safe to store and share, but the secret ingredients (pepper and original password) stay in the kitchen.
The good news is that many modern authentication frameworks and services already take care of hashing, salting, and sometimes even pepper for you. This means you don’t have to handle all the details yourself. Examples include:
To learn more about those tools, see our rule: Do you choose the best authentication method for every situation?
Hash, salt, and pepper create layers of protection - like a recipe with secret ingredients - making it much harder for attackers to steal passwords.
The good news is that many modern authentication frameworks and services handle hashing, salting, and sometimes pepper automatically. This means you can rely on these tools to enforce strong password security without implementing every detail yourself.
But this doesn't mean easy or weak passwords are safe! Combining these layers with strong password choices and Multi-Factor Authentication is what truly keeps user accounts secure - see our rule Security - Do you have MFA (Multi-Factor Authentication) enabled?