[devy]

Yep. Proper password hashing requires per-credential salt, pepper (for all credentials) and a strong algorithm (IV, iterations etc.) Revealing all those information is a leak and arguably making client side hashing less secure (by giving away a lot of parameters for attackers to attack)

[eropple]

NIST may say that you should use "peppers" for passwords, but nobody else does.

None of bcrypt, scrypt, or Argon2 use them and are not materially worse for it.

[devy]

Yes, adding pepper is a recommendation not a mandatory step. But a lot of sites do, I.E. PagerDuty [1], paired with PBKDF2 as many apps requires to meet FIPS certification or enterprise support on many platforms.[2]

[1]: https://sudo.pagerduty.com/for_engineers/

[2]: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet