MD5 used to hash a password or token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An MD5 hashing call sits on the same line as password/token/secret naming. MD5 is fast and broken, so it is unfit for hashing credentials.
Why it matters
MD5 is fast to compute and has known collisions, so a stolen MD5 password database can be cracked at billions of guesses per second on commodity GPUs. It also has no built-in salt, so identical passwords produce identical hashes. Any account protected this way should be considered exposed the moment the hash table leaks.
How to fix it
Hash passwords with a purpose-built password hash: bcrypt, scrypt, or Argon2id, each with a per-user random salt (these libraries generate one for you). For non-password tokens that need a hash, use SHA-256 or better. Rehash existing passwords on next successful login and store the new algorithm alongside each hash so you can migrate gradually.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo