Allow to HMAC password hash
I followed this talk: https://talks.m4dz.net/crypto-pour-les-devs/#32
And the speaker advise to HMAC the password hash with a secret key to ensure that in case of SQL injection, replacing the hash and salt does not work.
The difficulty is to store the HMAC key in a secure way. The best is to use dedicated hardware but indeed by storing it just on the filesystem, it is already quiet effective. So I propose to have by default a way to HMAC using a secret on the filesystem and use the standard hmac module but the API must be generic enough to allow to use product like YubiHSM2 [1].
[1] https://developers.yubico.com/YubiHSM2/