id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30561	Time for peppering user passwords in Django?	linluc	nobody	"Peppering passwords has been a controversial topic  widely discussed in many stack overflow questions. Having ran my 20+ personal email addresses through HIBP page the findings are clear: all emails/passwords of mine that had been leaked fall in the following categories: SQL injections, mis-configured databases, exposed database admin panels or strayed database backup files. 

And that’s exactly what a pepper value in the hashing process is protecting from. Breaching  the whole server with physical access to the file system is rather rare nowadays.

According to this NIST document [ Digital Identity Guidelines Authentication and Lifecycle Management] 

https://pages.nist.gov/800-63-3/sp800-63b.html :

“In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier.” 

So, why not in Django?"	New feature	new	Uncategorized	2.2	Normal				Unreviewed	0	0	0	0	0	0