"This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that don’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value,"

@dethos Would make for a nice backdoor if it hadn't been introduced by what seems to be one of the main authors in January...

Someone commented on the change on Github today:

Sign in to participate in the conversation
Social feed

This is a personal and private instance.