WordPress 6.8 changed how core hashes and verifies passwords, moving user passwords to bcrypt and shifting several security-key flows to the new fast-hash path. For sites with custom login APIs, SSO glue code, migration bridges, or direct database checks built around older hash assumptions, that creates a quiet but now