Skip to content

Allow setting of shared secret (pepper) for password storage #18299

New issue
New issue
Open
Open
Allow setting of shared secret (pepper) for password storage#18299
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement
@oli-scs

Description

@oli-scs
oli-scs
opened on Dec 10, 2025

Expected Behavior

When using the Password4j password encoders, I can optionally provide a shared secret/pepper that is then used as the pepper in the Password4j library (and therefore is not part of the stored hash value).

Current Behavior

Currently, it is not possible to use a shared secret pepper with Spring Security's default password encoders. To use a pepper, one must write a custom password encoder.

Context

We are building a system where we want a shared secret/pepper, as described in the OWASP Password Storage Cheat Sheet. Since logins are distributed across multiple devices, including offline devices, we would like to provide a shared secret/pepper to the application through another secure means so it can be used in the password storage process.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions