This allows using argon2's built-in password peppering, and avoid having to use the password_pepper feature.
We also add a security warning for bcrypt, where not having a maximum bytesize limit for passwords enables an attacker to crack the password pepper, due to bcrypt truncating passwords longer than 72 bytes. The attack consists of setting a 71-byte password, then attempting to log in with a password of 72 bytes, changing the last byte until the login succeeds (secret keys are usually alphanumeric strings, so there aren't that many possibilities). In that case, the last byte is the first byte of the pepper. Then rinse-and-repeat until the attacker obtains the whole pepper. I found this out from @rafalrothenberger's recent talk.
This allows using argon2's built-in password peppering, and avoid having to use the password_pepper feature.
We also add a security warning for bcrypt, where not having a maximum bytesize limit for passwords enables an attacker to crack the password pepper, due to bcrypt truncating passwords longer than 72 bytes. The attack consists of setting a 71-byte password, then attempting to log in with a password of 72 bytes, changing the last byte until the login succeeds (secret keys are usually alphanumeric strings, so there aren't that many possibilities). In that case, the last byte is the first byte of the pepper. Then rinse-and-repeat until the attacker obtains the whole pepper. I found this out from @rafalrothenberger's recent talk.