@rootc0re @stay_salty_ @LadyRed_6 But you need to store the pepper somewhere in order to add it to the password the user enters when they try and login - assuming you're not using a HSM, the peppers accessible to the app so is accessible to an attacker, just raises the bar a little (which is still good)