Created an md5 hash for the admin user's pw on a personal project and the hash starts with "bad666...".
Is md5 telling me something?
Hmm...

MD5? On a PASSWORD?
Please fucking don't

@PrivateGER Is SHA256 okay?

@RemusWasTaken Fuck no. Take a look at bcrypt or argon. SHA is not a password hashing algorithm, it's way too fast.

@RemusWasTaken At least way better than MD5. Also you should add salt (and pepper) to the algorithm (search about it)

Just use bcrypt. MD5 is insecure for anything, period. SHA-256 isn't broken yet, but it's too fast. You want the algorithm to be fast enough to be mostly unnoticeable when verifying user passwords legitimately, but unacceptably slow when someone's bruteforcing hashes. And you want salts. Basically use bcrypt.

@DDD-DOG SHA256 is NOT much better than MD5. If you ever argue in favor of it, you are doing something majorily wrong. It's possible to calculate multiple millions of SHA256 hashes in a single one second. It is NOT secure and should never be used for ANYTHING involving passwords. Don't even think about it.

@DDD-DOG Also, all modern algos take care of salting by themselves. No need to do that anymore, which is another argument for using a proper password hashing function like bcrypt or argon.

@RemusWasTaken I thought it was a joke.