Random element added to the password during hashing that is kept as a secret outside the database (e.g. in application config). Even if the database leaks, attackers cannot verify guesses without the pepper. Modern algorithms like Argon2 accept pepper as an explicit argument. Appending pepper to the password before bcrypt (as Devise does) is insecure because bcrypt's 72-byte limit enables byte-by-byte pepper leakage.