From b7e2aba04498e541c83e14013a2bfd55349396a1 Mon Sep 17 00:00:00 2001
From: Reguna <60984878+regunakyle@users.noreply.github.com>
Date: Wed, 13 Nov 2024 03:38:14 +0800
Subject: [PATCH] Add a note to emphasize that encoding pre-hashed output can
 only prevent null bytes, but cannot prevent password shucking with bcrypt
 (#1533)

---
 cheatsheets/Password_Storage_Cheat_Sheet.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cheatsheets/Password_Storage_Cheat_Sheet.md b/cheatsheets/Password_Storage_Cheat_Sheet.md
index c96e71a5b5..7f275c5b34 100644
--- a/cheatsheets/Password_Storage_Cheat_Sheet.md
+++ b/cheatsheets/Password_Storage_Cheat_Sheet.md
@@ -129,7 +129,7 @@ bcrypt has a maximum length input length of 72 bytes [for most implementations](
 
 #### Pre-Hashing Passwords with bcrypt
 
-An alternative approach is to pre-hash the user-supplied password with a fast algorithm such as SHA-256, and then to hash the resulting hash with bcrypt (i.e., `bcrypt(base64(hmac-sha256(data:$password, key:$pepper)), $salt, $cost)`). This is a dangerous (but common) practice that **should be avoided** due to [password shucking](https://www.youtube.com/watch?v=OQD3qDYMyYQ) and other issues when [combining bcrypt with other hash functions](https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html).
+An alternative approach is to pre-hash the user-supplied password with a fast algorithm such as SHA-256, and then to hash the resulting hash with bcrypt (i.e., `bcrypt(base64(hmac-sha256(data:$password, key:$pepper)), $salt, $cost)`). This is a dangerous (but common) practice that **should be avoided** due to [password shucking](https://www.youtube.com/watch?v=OQD3qDYMyYQ) and other issues when [combining bcrypt with other hash functions](https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html) (**Note:** "The Fix" in this blog post only protect you from null bytes; it does **NOT** protect you from password shucking!).
 
 ### PBKDF2