Weak password hashing can have severe consequences on a data breach due to easiness to brute force and actual data retrieval.

Therefore, for password you need a strong password hashing scheme. Bcrypt is a good solution that php itself offers out of the box:

• https://www.php.net/manual/en/function.password-hash.php
• https://www.php.net/manual/en/function.password-verify.php

But in case you inherited bad code and bad password storage how you migrate them into a good one?

For that read at arkabat's blog: https://akrabat.com/migrating-to-password_verify/

I am in a position that I have inherited bad code and need to fix it. Arkabat's solution seems a good one for me.