That is not the meaning I intended in my usage of the word "support", but if you equate "support" and "is compatible with", then this API also "supports" peppers, just as much as bcrypt does.
> md5($salt.$pepper.$clearText)
How cute, not just md5 but length-extension vulnerable MD5. I'd recommend not using that scheme for MACs (and more generally not using md5 directly, really, as there are precious few reasons to do so)
> The problem with this API is that if you pass in the "salt" as $salt.$pepper then the output hash also contains the pepper.
Which just happens to be the exact same way bcrypt's API works. Here's an idea: combine the pepper to the password (this is usually done through hmac), not the salt. That's how you use a pepper and remain compatible with the Modular Crypt Format.
> The whole point of a pepper is to keep a second salt out of the database [blah blah blah]
Contrary to your apparent belief, I am aware of what peppers are, how they are used and what they're supposed to do.
That is not the meaning I intended in my usage of the word "support", but if you equate "support" and "is compatible with", then this API also "supports" peppers, just as much as bcrypt does.
> md5($salt.$pepper.$clearText)
How cute, not just md5 but length-extension vulnerable MD5. I'd recommend not using that scheme for MACs (and more generally not using md5 directly, really, as there are precious few reasons to do so)
> The problem with this API is that if you pass in the "salt" as $salt.$pepper then the output hash also contains the pepper.
Which just happens to be the exact same way bcrypt's API works. Here's an idea: combine the pepper to the password (this is usually done through hmac), not the salt. That's how you use a pepper and remain compatible with the Modular Crypt Format.
> The whole point of a pepper is to keep a second salt out of the database [blah blah blah]
Contrary to your apparent belief, I am aware of what peppers are, how they are used and what they're supposed to do.