Weak hash algorithm near password handling
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
MD5/SHA1 are not suitable for password hashing; use bcrypt/argon2/scrypt instead.
Why it matters
MD5 and SHA1 are fast by design, so leaked password hashes can be tested at billions of guesses per second on commodity GPUs. Both also have known collision weaknesses. If your user table leaks, fast hashes turn it into a plaintext password list within hours for most users.
How to fix it
Hash passwords with bcrypt or argon2: the bcrypt package in Node, and bcrypt, argon2-cffi, or passlib in Python. Migrate existing users by rehashing at their next successful login, using a flag or hash-prefix check to recognize the legacy format in the meantime. Do not keep md5 anywhere in the password path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo