Overview
A pepper is similar to a salt in that it is a string of characters added to a password before hashing. However, while a salt is unique to each user and stored in the database, a pepper is typically the same for all users and is stored in a separate, secure location (like a configuration file or an HSM).
Security Benefit
If an attacker gains access to the database, they will have the salts but not the pepper. This adds an extra layer of protection, as the attacker would need to compromise both the database and the application server to begin cracking hashes.
Implementation
Peppers are often used in combination with salts to provide maximum protection for stored passwords.