"except for checking that two 32-bit hashes were the same length"
Not quite. It only checks the entered password against the stored password
but checking length is what it didn't do. The result is, if I enter a
password of one character it checks that character against the first
character of the stored password, essentially. This means, without any
altering of the login at all you can just type through the alphabet until it
grants access. People have been talking about how the ME system is a terrible
security concept for years but they didn't care, and they won't start now. I
read one guy said they likely leaked this as an excuse to disable the new ME
remover technique with an "update."