diff --git a/wp-includes/class-wp-application-passwords.php b/wp-includes/class-wp-application-passwords.php
index 8ed02dd6f3..6e84e0a2b2 100644
--- a/wp-includes/class-wp-application-passwords.php
+++ b/wp-includes/class-wp-application-passwords.php
@@ -502,6 +502,14 @@ class WP_Application_Passwords {
 		string $password,
 		string $hash
 	): bool {
+		if ( ! str_starts_with( $hash, '$generic$' ) ) {
+			/*
+			 * If the hash doesn't start with `$generic$`, it is a hash created with `wp_hash_password()`.
+			 * This is the case for application passwords created before 6.8.0.
+			 */
+			return wp_check_password( $password, $hash );
+		}
+
 		return wp_verify_fast_hash( $password, $hash );
 	}
 }
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index ec6cc616dc..f12e925a69 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -9150,8 +9150,8 @@ function wp_fast_hash(
  * Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().
  *
  * The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,
- * the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords
- * which were hashed using phpass prior to WordPress 6.8.0.
+ * the hash is treated as a phpass portable hash in order to provide backward compatibility for passwords and security
+ * keys which were hashed using phpass prior to WordPress 6.8.0.
  *
  * @since 6.8.0
  *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5a0660c9c4..ec60b1a6e1 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8-RC2-60118';
+$wp_version = '6.8-RC2-60125';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.