Closed tobiasdiez closed 5 months ago
Unfortunately the runtime agnostic nature of Lucia makes it unrealistic to add password hashing utility into the library itself. The Argon2id
API provided by Oslo already has a secret
option to effectively "pepper" your hashes, and uses the recommended defaults
Thanks for the pointer to secret
. I wasn't aware of it before/it's semantics.
Perhaps its still a good idea to add this option to the docs so that people following the guides implement the recommended security measures?
Would it make sense to add pepper to Scrypt
from lucia
? What's the recommendation between Scrypt
and @noble/hashes? The docs mention both.
I would avoid tweaking how your passwords are hashed to "add security". Scrypt doesn't support peppering so don't try to force one with a custom implementation
Package
lucia
Description
Currently, the guides only mention to hash the password (using a modern algorithm that already include a salt). But it is usually recommended to also pepper the password before storing it in the database.
It would be nice if lucia could provide an opinionated
hashPassword(password: string, peppers: string[])
method that uses argon2id plus peppers, and a correspondingverifyPassword(password: string, peppers: string[])
. These methods should then be used in the guides.