diff --git a/bin/pwgen.php b/bin/pwgen.php
index 97d82d1e2b6b0f062d1e17d684e333c47a5747e7..b9789cb57b2ec49cf04d70a5fb1eaea1525e83c6 100755
--- a/bin/pwgen.php
+++ b/bin/pwgen.php
@@ -21,27 +21,4 @@ if (empty($password)) {
     exit(1);
 }
 
-$table = '';
-foreach (array_chunk(hash_algos(), 6) as $chunk) {
-    foreach ($chunk as $algo) {
-        $table .= sprintf('%-13s', $algo);
-    }
-    $table .= "\n";
-}
-
-echo "The following hashing algorithms are available:\n".$table."\n";
-echo "Which one do you want? [sha256] ";
-$algo = trim(fgets(STDIN));
-if (empty($algo)) {
-    $algo = 'sha256';
-}
-
-if (!in_array(strtolower($algo), hash_algos(), true)) {
-    echo "Hashing algorithm '$algo' is not supported\n";
-    exit(1);
-}
-
-echo "Do you want to use a salt? (yes/no) [yes] ";
-$s = (trim(fgets(STDIN)) == 'no') ? '' : 'S';
-
-echo "\n  ".SimpleSAML\Utils\Crypto::pwHash($password, strtoupper($s.$algo))."\n\n";
+echo "\n  ".SimpleSAML\Utils\Crypto::pwHash($password)."\n\n";
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index dece1961c5b20f664509b951a7aba740b3908dda..c9873096ec5db6b1ff32b039a686622fbd356463 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -352,12 +352,12 @@ class Crypto
      * This function hashes a password with a given algorithm.
      *
      * @param string $password The password to hash.
-     * @param string $algorithm The hashing algorithm, uppercase, optionally prepended with 'S' (salted). See
+     * @param string|null $algorithm @deprecated The hashing algorithm, uppercase, optionally prepended with 'S' (salted). See
      *     hash_algos() for a complete list of hashing algorithms.
-     * @param string $salt An optional salt to use.
+     * @param string|null $salt @deprecated An optional salt to use.
      *
      * @return string The hashed password.
-     * @throws \InvalidArgumentException If the input parameters are not strings.
+     * @throws \InvalidArgumentException If the input parameter is not a string.
      * @throws Error\Exception If the algorithm specified is not supported.
      *
      * @see hash_algos()
@@ -365,35 +365,41 @@ class Crypto
      * @author Dyonisius Visser, TERENA <visser@terena.org>
      * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
      */
-    public static function pwHash($password, $algorithm, $salt = null)
+    public static function pwHash($password, $algorithm = null, $salt = null)
     {
-        if (!is_string($algorithm) || !is_string($password)) {
-            throw new \InvalidArgumentException('Invalid input parameters.');
-        }
-
-        // hash w/o salt
-        if (in_array(strtolower($algorithm), hash_algos(), true)) {
-            $alg_str = '{'.str_replace('SHA1', 'SHA', $algorithm).'}'; // LDAP compatibility
-            $hash = hash(strtolower($algorithm), $password, true);
-            return $alg_str.base64_encode($hash);
-        }
+        if (!is_null($algorithm)) {
+            // @deprecated Old-style
+            if (!is_string($algorithm) || !is_string($password)) {
+                throw new \InvalidArgumentException('Invalid input parameters.');
+            }
+            // hash w/o salt
+            if (in_array(strtolower($algorithm), hash_algos(), true)) {
+                $alg_str = '{'.str_replace('SHA1', 'SHA', $algorithm).'}'; // LDAP compatibility
+                $hash = hash(strtolower($algorithm), $password, true);
+                return $alg_str.base64_encode($hash);
+            }
+            // hash w/ salt
+            if ($salt === null) {
+                // no salt provided, generate one
+                // default 8 byte salt, but 4 byte for LDAP SHA1 hashes
+                $bytes = ($algorithm == 'SSHA1') ? 4 : 8;
+                $salt = openssl_random_pseudo_bytes($bytes);
+            }
 
-        // hash w/ salt
-        if ($salt === null) {
-            // no salt provided, generate one
-            // default 8 byte salt, but 4 byte for LDAP SHA1 hashes
-            $bytes = ($algorithm == 'SSHA1') ? 4 : 8;
-            $salt = openssl_random_pseudo_bytes($bytes);
-        }
+            if ($algorithm[0] == 'S' && in_array(substr(strtolower($algorithm), 1), hash_algos(), true)) {
+                $alg = substr(strtolower($algorithm), 1); // 'sha256' etc
+                $alg_str = '{'.str_replace('SSHA1', 'SSHA', $algorithm).'}'; // LDAP compatibility
+                $hash = hash($alg, $password.$salt, true);
+                return $alg_str.base64_encode($hash.$salt);
+            }
+            throw new Error\Exception('Hashing algorithm \''.strtolower($algorithm).'\' is not supported');
+        } else {
+            if (!is_string($password)) {
+                throw new \InvalidArgumentException('Invalid input parameter.');
+            }
 
-        if ($algorithm[0] == 'S' && in_array(substr(strtolower($algorithm), 1), hash_algos(), true)) {
-            $alg = substr(strtolower($algorithm), 1); // 'sha256' etc
-            $alg_str = '{'.str_replace('SSHA1', 'SSHA', $algorithm).'}'; // LDAP compatibility
-            $hash = hash($alg, $password.$salt, true);
-            return $alg_str.base64_encode($hash.$salt);
+            return password_hash($password, PASSWORD_BCRYPT);
         }
-
-        throw new Error\Exception('Hashing algorithm \''.strtolower($algorithm).'\' is not supported');
     }
 
 
@@ -447,6 +453,12 @@ class Crypto
             throw new \InvalidArgumentException('Invalid input parameters.');
         }
 
+        if (password_verify($password, $hash)) {
+            return true;
+        }
+        // return $hash === $password
+
+        // @deprecated remove everything below this line for 2.0
         // match algorithm string (e.g. '{SSHA256}', '{MD5}')
         if (preg_match('/^{(.*?)}(.*)$/', $hash, $matches)) {
             // LDAP compatibility
@@ -466,10 +478,9 @@ class Crypto
                 $salt = substr(base64_decode($matches[2]), $hash_length);
                 return self::secureCompare($hash, self::pwHash($password, $alg, $salt));
             }
+            throw new Error\Exception('Hashing algorithm \''.strtolower($alg).'\' is not supported');
         } else {
             return $hash === $password;
         }
-
-        throw new Error\Exception('Hashing algorithm \''.strtolower($alg).'\' is not supported');
     }
 }
diff --git a/modules/authcrypt/lib/Auth/Source/Htpasswd.php b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
index 03084b08b1a9628d3cd301e1d57ab219a5cb9933..72a1fce7289c5dbadf94d74baf75c2c195dc988c 100644
--- a/modules/authcrypt/lib/Auth/Source/Htpasswd.php
+++ b/modules/authcrypt/lib/Auth/Source/Htpasswd.php
@@ -105,12 +105,9 @@ class Htpasswd extends \SimpleSAML\Module\core\Auth\UserPassBase
                     return $attributes;
                 }
 
-                // SHA1 or plain-text
+                // PASSWORD_BCRYPT
                 if (\SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
                     \SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
-                    \SimpleSAML\Logger::warning(
-                        'SHA1 and PLAIN TEXT authentication are insecure. Please consider using something else.'
-                    );
                     return $attributes;
                 }
                 throw new \SimpleSAML\Error\Error('WRONGUSERPASS');