The config file now contains 'secrets' with 'pepper' that is used for
hashing passwords in the database. This means a hacker now needs to
have config.php to attack the (hashed) passwords in the database.
This may not be very meaningful if the DB backend is file_auth, but
can be useful for example if the backend is sql_auth and your database
backup (mysqldump) gets leaked.
We automatically create the secrets (like pepper) and automatically
upgrade password hashes to use pepper while each user logs in.
This does need write access to config/config.php while upgrading, though.
The hashed passwords in the database will have the prefix "peppered:"
if they have been upgraded to use pepper.
A side-effect of this is that you cannot blindly 'rm config/config.php'
and start the installation over again while keeping your old database.
This because the hashed passwords in the existing database were created
with an old pepper value and the new setup would create a random new
pepper value, making the hashes worthless (and wrong).
This mostly matters for devs though, but it is something for testers
to be aware of as well.