...
The pepper defines a secret application-wide random byte array that is used to initialize the underlying HMAC before hashing. This ensures that an attacker has no way of actually cracking the password hashes without compromising the pepper value also. Using a pepper strategy is very powerful if done right, however it requires and demands a strong policy for storing and securing the pepper data.
...