yes, but the pepper still must be brute forced, and to do so requires that each attempt is run through bcrypt.
if you store the user_salt and the output of bcrypt(code_pepper + known_pass + user_salt) in your db, guessing the pepper requires comparing the bcrypt() output of every random pepper. you are as unlikely to brute force it as the plaintext pass of other users.
this type of pepper is essentially a mechanism for key stretching [1]
if you store the user_salt and the output of bcrypt(code_pepper + known_pass + user_salt) in your db, guessing the pepper requires comparing the bcrypt() output of every random pepper. you are as unlikely to brute force it as the plaintext pass of other users.
this type of pepper is essentially a mechanism for key stretching [1]
[1] http://en.m.wikipedia.org/wiki/Key_stretching