In addition to the standard salting and hashing, they recommend using an additional key stored separately from the data.
> A keyed hash function (e.g., HMAC), with the key stored separately from the hashed authenticators (e.g., in a hardware security module) SHOULD be used to further resist dictionary attacks against the stored hashed authenticators.
I guess using a pepper is a better-than-nothing measure, if you don't have a hardware security module.
> A keyed hash function (e.g., HMAC), with the key stored separately from the hashed authenticators (e.g., in a hardware security module) SHOULD be used to further resist dictionary attacks against the stored hashed authenticators.
I guess using a pepper is a better-than-nothing measure, if you don't have a hardware security module.