From 4b073ea079e41671ba0ceb214a0ef0fbfbc389ec Mon Sep 17 00:00:00 2001
From: Samuel Lorch <sam@soontm.de>
Date: Fri, 11 Apr 2025 11:45:28 +0200
Subject: [PATCH 1/2] Document password scheme secret field for migrations

Signed-off-by: Samuel Lorch sam@soontm.de
---
 docs/setup/migration.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/setup/migration.md b/docs/setup/migration.md
index 19ac21288..ffd1dcf04 100644
--- a/docs/setup/migration.md
+++ b/docs/setup/migration.md
@@ -45,6 +45,7 @@ Follow the instructions in the [installation guide](installation.md) to install
 Synapse uses bcrypt as its password hashing scheme while MAS defaults to using the newer argon2id.
 You will have to configure the version 1 scheme as bcrypt for migrated passwords to work.
 It is also recommended that you keep argon2id as version 2 so that once users log in, their hashes will be updated to the newer recommended scheme.
+If you have set a pepper in the Synapses password_config section of your homeserver.yaml then you need to specify this pepper as the secret field for your bcrypt scheme. Otherwise logins with the correct Password will fail.
 
 Example passwords configuration:
 ```yml
@@ -53,6 +54,8 @@ passwords:
   schemes:
   - version: 1
     algorithm: bcrypt
+    # Optional, The secret field is the equivalent to Synapses password_config pepper.
+    secret: secretPepperValue
   - version: 2
     algorithm: argon2id
 ```

From b802f8f173afc661fc4c3bfa362b96c732a340d2 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Fri, 11 Apr 2025 16:33:14 +0200
Subject: [PATCH 2/2] Minor rewording

---
 docs/setup/migration.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/setup/migration.md b/docs/setup/migration.md
index ffd1dcf04..2d3b7a0c0 100644
--- a/docs/setup/migration.md
+++ b/docs/setup/migration.md
@@ -45,7 +45,7 @@ Follow the instructions in the [installation guide](installation.md) to install
 Synapse uses bcrypt as its password hashing scheme while MAS defaults to using the newer argon2id.
 You will have to configure the version 1 scheme as bcrypt for migrated passwords to work.
 It is also recommended that you keep argon2id as version 2 so that once users log in, their hashes will be updated to the newer recommended scheme.
-If you have set a pepper in the Synapses password_config section of your homeserver.yaml then you need to specify this pepper as the secret field for your bcrypt scheme. Otherwise logins with the correct Password will fail.
+If you have a `pepper` set in the `password_config` section of your Synapse config, then you need to specify this `pepper` as the `secret` field for your `bcrypt` scheme.
 
 Example passwords configuration:
 ```yml
@@ -54,8 +54,8 @@ passwords:
   schemes:
   - version: 1
     algorithm: bcrypt
-    # Optional, The secret field is the equivalent to Synapses password_config pepper.
-    secret: secretPepperValue
+    # Optional, must match the `password_config.pepper` in the Synapse config
+    #secret: secretPepperValue
   - version: 2
     algorithm: argon2id
 ```