Closed tobiasdiez closed 5 months ago
pilcrowOnPaper
commented
5 months ago Unfortunately the runtime agnostic nature of Lucia makes it unrealistic to add password hashing utility into the library itself. The Argon2id API provided by Oslo already has a secret option to effectively "pepper" your hashes, and uses the recommended defaults
tobiasdiez
commented
5 months ago Thanks for the pointer to secret. I wasn't aware of it before/it's semantics.
Perhaps its still a good idea to add this option to the docs so that people following the guides implement the recommended security measures?
xixixao
commented
2 months ago Would it make sense to add pepper to Scrypt from lucia? What's the recommendation between Scrypt and @noble/hashes? The docs mention both.
pilcrowOnPaper
commented
2 months ago I would avoid tweaking how your passwords are hashed to "add security". Scrypt doesn't support peppering so don't try to force one with a custom implementation
Package
lucia
Description
Currently, the guides only mention to hash the password (using a modern algorithm that already include a salt). But it is usually recommended to also pepper the password before storing it in the database.
It would be nice if lucia could provide an opinionated
hashPassword(password: string, peppers: string[])method that uses argon2id plus peppers, and a correspondingverifyPassword(password: string, peppers: string[]). These methods should then be used in the guides.