If pepper is needed or unbounded-length passwords are desired, use Argon2id. It is the 2015 PHC winner, supports salt and pepper natively as arguments, is OWASP-recommended, and for new applications is a drop-in swap. Remember to limit password length to prevent DoS attacks on long passwords.