@rootc0re@stay_salty_@LadyRed_6 But you need to store the pepper somewhere in order to add it to the password the user enters when they try and login - assuming you're not using a HSM, the peppers accessible to the app so is accessible to an attacker, just raises the bar a little (which is still good)