How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

The post references an article detailing how FreshRSS, a self-hosted RSS feed aggregator, experienced an authentication bypass due to bcrypt’s 72-byte password truncation limit. The issue arose when the software upgraded its password hashing to use bcrypt, which silently truncates passwords exceeding 72 bytes. This behavior led to weaker security than intended, allowing authentication bypass under certain conditions.