Will It Vibe?
SEC-017High severity-15 points

Weak hash algorithm near password handling

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

MD5/SHA1 are not suitable for password hashing; use bcrypt/argon2/scrypt instead.

Why it matters

MD5 and SHA1 are fast by design, so leaked password hashes can be tested at billions of guesses per second on commodity GPUs. Both also have known collision weaknesses. If your user table leaks, fast hashes turn it into a plaintext password list within hours for most users.

How to fix it

Hash passwords with bcrypt or argon2: the bcrypt package in Node, and bcrypt, argon2-cffi, or passlib in Python. Migrate existing users by rehashing at their next successful login, using a flag or hash-prefix check to recognize the legacy format in the meantime. Do not keep md5 anywhere in the password path.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks