Why you should pepper your passwords and how to do it
Most likely you are already using a password manager (if not, please get one and don't reuse your passwords), but have you ever through what happens when your password manager gets breached and how you can mitigate such risk?
Here comes peppering to help you. Whenever you don't trust your password manager or want an extra layer of security. Peppering has many names, such as a “secret salt” or “salting“. Or we can keep it simple and call it “password splitting”.
Peppering rules
Before you start peppering your passwords you need to follow these rules:
- Pepper only important passwords (bank, email, messengers, etc).
- Your pepper should blend well with generated passwords.
- Don't use website names as your pepper.
- Try to avoid creating multiple peppers. Use one.
How to pepper your passwords
Add pepper at the end of your passwords. If you are using randomly generated passwords such as "EaqbrfbX6KA7" you can just add a simple PIN that won't stand out, for example "wu30".
If you are using a passphrase, like "leverage-viper-scallion", you can just add "bobcat", or any other word, that you will remember.
To put it into practice, you need to save your passwords without pepper in your password manager. Add your pepper manually whenever trying to sign in on the website.
Benefits of peppering your passwords
- No need to trust your password manager.
- Most important passwords will be safe if someone accesses your password manager or manages to hack the master password. Hackers will think that you already changed passwords.
- Peppering can protect you from apps, which use clipboard snooping or have access to your clipboard. It protects you because you copy/paste your password without your pepper.
Downsides of peppering your passwords
- It will require more manual work.
- Modern password managers can search for your passwords in data breaches and inform you what you need to change the password.
Frequently asked questions
Q: Which password manager does Xeovo recommend?
A: We won't mention any brands here. Preferably choose open source and audited password manager.
Q: Does peppering replace 2FA?
A: No. It was never meant to replace it. Always use 2FA, if possible.
Q: What if my pepper leaks?
A: This scenario is unlikely to happen. You are still safe because no one knows the first generated part. Just don't pepper your passwords for every website you use.
Silence censorship. Protect your privacy and bypass restrictions with Xeovo VPN. Starting from 2,99€/mo.