Will It Vibe logoWill It Vibe?
RUST-013High severity-15 points

MD5/SHA-1 used to hash a password or token

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

MD5 or SHA-1 is used via a Rust hashing crate (md5/md-5, sha1) on lines that also name password/token/secret handling. Both are broken/fast general-purpose hashes and unfit for credential hashing; use a password-hashing KDF such as argon2 or bcrypt instead.

Why it matters

MD5 and SHA-1 are fast, general-purpose hash functions, which is exactly the wrong property for hashing a password or token: their speed makes brute-forcing and rainbow-table attacks cheap, and both algorithms have known collision weaknesses that rule them out for anything security-sensitive. Using either to hash a credential means a database leak turns directly into crackable passwords rather than a merely leaked, still-protected hash.

How to fix it

Replace the hash with a password-hashing KDF designed to be slow and tunable: the argon2 crate (Argon2id) is the modern default, with bcrypt as a well-established alternative. For non-password integrity/identification uses that still need a fast hash, move to SHA-256 (sha2 crate) or BLAKE3 rather than MD5/SHA-1.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks