Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://furry.engineer/users/soatok/statuses/114019367446769376">Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 17-Feb-2025 22:33:35 JST</a><a href="https://furry.engineer/@soatok" title="soatok@furry.engineer"><img src="https://gnusocial.jp/avatar/34725-48-20230823231406.webp" width="48" height="48" alt="Soatok Dreamseeker" style="position: absolute; left: 0; top: 0;">Soatok Dreamseeker</a></section><article><p>WordPress 6.8 is due to switch their password hashing to bcrypt, and their application passwords to BLAKE2b.</p><p>Great news:</p><p>They disarmed the 72 char footgun with bcrypt in the way I recommended (HMAC, rather than just SHA2, to prevent hash shucking, and base64 to prevent NUL truncation).</p><p><a href="https://core.trac.wordpress.org/changeset/59828" rel="nofollow noreferrer">https://core.trac.wordpress.org/changeset/59828</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4580927#notice-8968016">In conversation</a><time datetime="2025-02-17T22:33:35+09:00" title="Monday, 17-Feb-2025 22:33:35 JST">about 5 days ago</time> <span>from <span><a href="https://furry.engineer/@soatok/114019367446769376" rel="external" title="Sent from furry.engineer via ActivityPub">furry.engineer</a></span></span><a href="https://furry.engineer/@soatok/114019367446769376">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4153635">Screenshot of the SVN changeset showing they pre-hash the password with HMAC-SHA384, then base64 the output, and then run bcrypt on the bade64-encoded value.</a></label><br><a href="https://furry.engineer/system/media_attachments/files/114/019/356/034/315/773/original/4763731321dbefc3.jpg" rel="external">https://furry.engineer/system/media_attachments/files/114/019/356/034/315/773/original/4763731321dbefc3.jpg</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Monday, 17-Feb-2025 22:33:35 JST Soatok Dreamseeker
WordPress 6.8 is due to switch their password hashing to bcrypt, and their application passwords to BLAKE2b.
Great news:
They disarmed the 72 char footgun with bcrypt in the way I recommended (HMAC, rather than just SHA2, to prevent hash shucking, and base64 to prevent NUL truncation).
https://core.trac.wordpress.org/changeset/59828
In conversationabout 5 days ago from furry.engineerpermalink
Attachments
1. Screenshot of the SVN changeset showing they pre-hash the password with HMAC-SHA384, then base64 the output, and then run bcrypt on the bade64-encoded value.
  https://furry.engineer/system/media_attachments/files/114/019/356/034/315/773/original/4763731321dbefc3.jpg

Public

Embed Notice

HTML Code

Corresponding Notice