diff --git a/src/background.ts b/src/background.ts
index f52c2269f..a348eae4b 100644
--- a/src/background.ts
+++ b/src/background.ts
@@ -167,7 +167,7 @@ async function getTotp(text: string) {
         chrome.tabs.sendMessage(id, { action: "secretqr", secret });
       } else {
         const encryption = new Encryption(cachedPassphrase);
-        const hash = CryptoJS.MD5(secret).toString();
+        const hash = CryptoJS.SHA256(secret).toString();
         if (
           !/^[2-7a-z]+=*$/i.test(secret) &&
           /^[0-9a-f]+$/i.test(secret) &&
diff --git a/src/components/Popup/AddAccountPage.vue b/src/components/Popup/AddAccountPage.vue
index 49f0b47d8..d84c2077a 100644
--- a/src/components/Popup/AddAccountPage.vue
+++ b/src/components/Popup/AddAccountPage.vue
@@ -62,7 +62,7 @@ export default Vue.extend({
         issuer: "",
         account: this.newAccount.account,
         encrypted: false,
-        hash: CryptoJS.MD5(this.newAccount.secret).toString(),
+        hash: CryptoJS.SHA256(this.newAccount.secret).toString(),
         secret: this.newAccount.secret,
         counter: 0
       });
diff --git a/src/import.ts b/src/import.ts
index 2fd827d72..677c98136 100644
--- a/src/import.ts
+++ b/src/import.ts
@@ -153,7 +153,7 @@ export function getEntryDataFromOTPAuthPerLine(importCode: string) {
       ) {
         continue;
       } else {
-        const hash = CryptoJS.MD5(secret).toString();
+        const hash = CryptoJS.SHA256(secret).toString();
         if (
           !/^[2-7a-z]+=*$/i.test(secret) &&
           /^[0-9a-f]+$/i.test(secret) &&
diff --git a/src/models/encryption.ts b/src/models/encryption.ts
index 1ccc79472..6e0925475 100644
--- a/src/models/encryption.ts
+++ b/src/models/encryption.ts
@@ -34,7 +34,7 @@ export class Encryption implements IEncryption {
 
   getDecryptedSecret(entry: { secret: string; hash: string }): string | null {
     try {
-      if (entry.hash === CryptoJS.MD5(entry.secret).toString()) {
+      if (entry.hash === CryptoJS.SHA256(entry.secret).toString()) {
         return entry.secret;
       }
 
@@ -51,7 +51,7 @@ export class Encryption implements IEncryption {
         return null;
       }
 
-      if (entry.hash === CryptoJS.MD5(decryptedSecret).toString()) {
+      if (entry.hash === CryptoJS.SHA256(decryptedSecret).toString()) {
         return decryptedSecret;
       }
 
diff --git a/src/models/storage.ts b/src/models/storage.ts
index 7e7a88730..f04b55f54 100644
--- a/src/models/storage.ts
+++ b/src/models/storage.ts
@@ -284,7 +284,7 @@ export class EntryStorage {
                 data[hash].type = OTPType[OTPType.hhex];
               }
 
-              const _hash = CryptoJS.MD5(data[hash].secret).toString();
+              const _hash = CryptoJS.SHA256(data[hash].secret).toString();
               // not a valid hash
               if (!/^[0-9a-f]{32}$/.test(hash)) {
                 data[_hash] = data[hash];
@@ -448,7 +448,7 @@ export class EntryStorage {
               data.push(entry);
 
               if (entry.secret !== null && !/^[0-9a-f]{32}$/.test(hash)) {
-                const _hash = CryptoJS.MD5(entry.secret).toString();
+                const _hash = CryptoJS.SHA256(entry.secret).toString();
                 if (hash !== _hash) {
                   console.warn("Invalid hash:", entry);
                 }