This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module.
[1] Note that the National Institute of Standards and Technology refers to this value as a secret key rather than a pepper.
It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret.
[2] A pepper should be long enough to remain secret from brute force attempts to discover it (NIST recommends at least 112 bits).
[8] This usage did not immediately catch on: for example, Fred Wenzel added support to Django password hashing for storage based on a combination of bcrypt and HMAC with separately stored nonces, without using the term.
Since the same pepper is not shared between different applications, an attacker is unable to reuse the hashes of one compromised database to another.