Web application security: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
== Peppers == | == Peppers == | ||
Like salts, but global to the application. Don't bother with these, because: | Like salts, but global to the application (and only known to the application, not the database). Don't bother with these, because: | ||
* They provide limited extra 'security' | * They provide limited extra 'security' | ||
* You can't easily rotate the pepper as it is effectively embedded in password hashes etc. | * You can't easily rotate the pepper as it is effectively embedded in password hashes etc. | ||
If your passwords are salted, a pepper adds very little and causes extra maintenance and the problem of rotating keys. Also, on the vast majority of web applications - especially small ones - the application and database are on the same server anyway. | |||
== Articles == | == Articles == | ||
Revision as of 16:49, 8 April 2023
Peppers
Like salts, but global to the application (and only known to the application, not the database). Don't bother with these, because:
- They provide limited extra 'security'
- You can't easily rotate the pepper as it is effectively embedded in password hashes etc.
If your passwords are salted, a pepper adds very little and causes extra maintenance and the problem of rotating keys. Also, on the vast majority of web applications - especially small ones - the application and database are on the same server anyway.