[pquerna]

per <https://trust.okta.com/security-advisories/okta-ad-ldap-dele...>

2024-07-23 - Vulnerability introduced as part of a standard Okta release

This issue is not an "okta is old" issue. this was new code written in 2024 that used a password hashing function from 1999 as a cache key.

[crest]

Bcrypt is still perfectly usable for its original purpose. They just picked/wrote a bad implementation that silently truncated inputs longer than the maximum input length. Would you also ask why they picked AES (a cipher from 1998) when the error was with the user (e.g. picking fixed/too short key)?