TL;DR AI editors frequently output MD5 or SHA-1 for password hashing -- both broken for this purpose Root cause: training data from pre-2015 tutorials where MD5 was common practice Fix: bcrypt (cost 12) or argon2. Pick one. Three-line swap. I was reviewing a friend's side project last month. Node.js backend, clean architecture, React frontend. He'd built the whole thing with Cursor over a weekend. The auth flow looked right at a glance -- passwords were stored as hashes, login worked, tests passed. Then I saw the hashing function. import hashlib hashed = hashlib . md5 ( password . encode ()). hexdigest () # CWE-328 Enter fullscreen mode Exit fullscreen mode MD5 is not a password hashing algorithm. It never was. It's a checksum function that completes in under 1 microsecond per hash. On a consumer GPU, an attacker can run 60 billion MD5 hashes per second. The entire rockyou2024 dataset -- 10 billion passwords -- cracked in under 3 minutes. Why AI Editors Keep Generating This It's not a model bug.…