Laravel Weak Password Hashing: How to Replace md5 and sha1 with bcrypt

Using md5() or sha1() for password hashing is trivially crackable. Laravel uses bcrypt by default — make sure your application does too.

High severity Application Security Updated 2026-05-01

The Problem

MD5 and SHA-1 are fast hash functions designed for data integrity, not password storage. Modern GPUs can compute billions of MD5 hashes per second, making brute-force attacks trivial. A database of MD5-hashed passwords can be cracked in minutes using rainbow tables. Laravel uses bcrypt (or argon2) by default through Hash::make(), but legacy code or custom authentication may bypass this. Any password hashed with md5() or sha1() should be considered compromised.

How to Fix

1
Find all weak hashing in your codebase
```
Search for md5 and sha1 used in authentication or password contexts:
```
```
grep -rn 'md5(\|sha1(' app/ --include='*.php'
```
Look specifically for: - md5($password) or sha1($password) - Custom authentication that compares md5 hashes - Legacy database columns with 32-character (md5) or 40-character (sha1) hashes
```
Note: md5() used for cache keys, ETags, or non-security purposes is acceptable.
```

Replace with Hash::make() and Hash::check()

Use Laravel's built-in hashing:

use Illuminate\Support\Facades\Hash;

// Hashing a password
$hashed = Hash::make($password);

// Verifying a password
if (Hash::check($plaintext, $hashed)) {
    // Password matches
}

// In a User model / registration
User::create([
    'password' => Hash::make($request->password),
]);

Laravel's Hash facade uses bcrypt by default with automatic salt generation. You can configure the algorithm in config/hashing.php.

Migrate existing md5/sha1 passwords

For existing users with legacy hashes, rehash on login:

// In your LoginController or custom auth logic
if ($user && md5($password) === $user->password) {
    // Legacy hash matches — rehash with bcrypt
    $user->update([
        'password' => Hash::make($password),
    ]);
    Auth::login($user);
}

After a reasonable migration period, force remaining users to reset their passwords.

How to Verify

Check your database for short hash values (md5 = 32 chars, sha1 = 40 chars, bcrypt = 60 chars):

SELECT id, LENGTH(password) as hash_length FROM users WHERE LENGTH(password) < 60;

Any results indicate weak hashing. Run php artisan stackshield:scan --check=SS042 to scan for md5/sha1 usage in code.

Prevention

Never use md5() or sha1() for passwords. Always use Hash::make(). Configure bcrypt rounds in config/hashing.php (default 12 is good). Consider upgrading to argon2id for new applications. Use StackShield to scan for weak hashing patterns.

Frequently Asked Questions

Is sha256 safe for password hashing?

No. SHA-256 is faster than md5/sha1 but still a fast hash function. Password hashing requires intentionally slow algorithms like bcrypt, argon2, or scrypt that make brute-force attacks computationally expensive. Use Hash::make() which handles this correctly.

What bcrypt rounds should I use?

Laravel defaults to 12 rounds, which takes about 250ms to hash. This is a good balance between security and performance. Increase to 13-14 if your server can handle it. You can set this in config/hashing.php or .env with BCRYPT_ROUNDS.

Related Security Terms

Brute-Force Attack

Related Guides

High

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial