The Bitwarden Blog
Pepper for your password
Not all password manager entries are created equal. I have entries in my vault that are for LAN-based services (such as Portainer, Invoiceplane, Antsle, and more) that really do not require that much security. Why? Because they are on my LAN and only accessible from within my network. I have other entries that do require considerably more care, such as bank accounts, credit cards, and more.
Although I consider Bitwarden to be one of the most trustworthy and reliable password managers on the market, I still prefer not to leave certain crucial credentials as-is within my vault.
For those vault items that need serious care, I might opt to go the peppering route to give them an added layer of security. Although peppering is a very simple idea to implement, it does have a few implications that you must take into consideration.
Before we get into those implications, let's talk about what peppering actually is.
Peppering involves adding or subtracting a string of characters to a password entry that isn't part of the password but is known only by you. There are two types of peppering:
Adding a pepper - leaving out a pepper in your password that you then add when the password is used.
Subtracting a pepper - adding a pepper in your password that you then subtract when the password is used.
Here's are two examples:
Adding a pepper - The password stored in the password manager is 5e$d#WRtin9cZe and your pepper is B6F#o. The Password + The Pepper is 5e$d#WRtin9cZeB6F#o (which becomes the full password)
Removing a pepper - The password is stored in the password manager along with the pepper which is 5e$d#WRtin9cZeB6F#o. Password with the pepper removed is 5e$d#WRtin9cZe.
If you're not using really strong passwords (such as those that are created by the Bitwarden random password generator), this won't work as well as expected.
Continuing with our example above, you know that B6F#0 is your pepper, so you simply either strip those characters from the string (for removing a pepper) or add those characters to the string (for adding a pepper) before you use the password.
Now, what's important about this is that your peppering string be consistent. The idea is that you know the phrase, can easily spot it in your password and remove or add it when needed.
This, of course, brings up one of the first issues. If you add or remove your peppering string to every password, anyone with a moderately keen eye and intellect will be able to spot the pattern and figure out what you're doing. To that end, you only want to use your peppering phrase within those passwords that require added security—so things like bank accounts, government accounts, etc.
The next caveat of using pepper phrases is that it kind of defeats the auto-fill feature. If you depend heavily on auto-fill (such as by way of the browser extension), you'll either have to view the password and delete or add the pepper or know exactly where the pepper lives within the password and delete it from the obfuscated password. That can be easily done if you add your peppering phrase to the end of your password. Knowing the peppering phrase is four characters, you know you only have to delete those last four characters.
That also brings up another point. You can also use random four-character strings for peppering (each string being different for each password) and append them to the end of your password. That way, you know all you have to do is delete the last four characters of any password before using it.
Peppering is a great way to prevent your passwords from winding up in the wrong hands and being used against you. If you've peppered your passwords with random strings of characters (that aren't a part of the password) any attempt to use those passwords will fail unless the peppering string is removed.
Ready to try out Bitwarden? Sign up today for a free Bitwarden account, or keep your team and company colleagues safe online by starting a 7-day free trial of our business plans.
On this page
Back to Blog