MD5/SHA-1 used to hash a password or token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
MD5 or SHA-1 is used via a Rust hashing crate (md5/md-5, sha1) on lines that also name password/token/secret handling. Both are broken/fast general-purpose hashes and unfit for credential hashing; use a password-hashing KDF such as argon2 or bcrypt instead.
Why it matters
MD5 and SHA-1 are fast, general-purpose hash functions, which is exactly the wrong property for hashing a password or token: their speed makes brute-forcing and rainbow-table attacks cheap, and both algorithms have known collision weaknesses that rule them out for anything security-sensitive. Using either to hash a credential means a database leak turns directly into crackable passwords rather than a merely leaked, still-protected hash.
How to fix it
Replace the hash with a password-hashing KDF designed to be slow and tunable: the argon2 crate (Argon2id) is the modern default, with bcrypt as a well-established alternative. For non-password integrity/identification uses that still need a fast hash, move to SHA-256 (sha2 crate) or BLAKE3 rather than MD5/SHA-1.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo