diff --git a/internal/config/member.go b/internal/config/member.go
index 634ea2bd..1cccde36 100644
--- a/internal/config/member.go
+++ b/internal/config/member.go
@@ -33,6 +33,11 @@ func (Member) Init(cmd *cobra.Command) error {
 		return err
 	}
 
+	cmd.PersistentFlags().Bool("member.file.hash", true, "member file provider: whether to hash passwords using sha256 (recommended)")
+	if err := viper.BindPFlag("member.file.hash", cmd.PersistentFlags().Lookup("member.file.hash")); err != nil {
+		return err
+	}
+
 	// object provider
 	cmd.PersistentFlags().String("member.object.users", "[]", "member object provider: users in JSON format")
 	if err := viper.BindPFlag("member.object.users", cmd.PersistentFlags().Lookup("member.object.users")); err != nil {
@@ -68,6 +73,7 @@ func (s *Member) Set() {
 
 	// file provider
 	s.File.Path = viper.GetString("member.file.path")
+	s.File.Hash = viper.GetBool("member.file.hash")
 
 	// object provider
 	if err := viper.UnmarshalKey("member.object.users", &s.Object.Users, viper.DecodeHook(
diff --git a/internal/member/file/provider.go b/internal/member/file/provider.go
index 04acd191..ed5c1e71 100644
--- a/internal/member/file/provider.go
+++ b/internal/member/file/provider.go
@@ -1,6 +1,7 @@
 package file
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"io"
 	"os"
@@ -18,6 +19,17 @@ type MemberProviderCtx struct {
 	config Config
 }
 
+func (provider *MemberProviderCtx) hash(password string) string {
+	// if hash is disabled, return password as plain text
+	if !provider.config.Hash {
+		return password
+	}
+
+	sha256 := sha256.New()
+	sha256.Write([]byte(password))
+	return string(sha256.Sum(nil))
+}
+
 func (provider *MemberProviderCtx) Connect() error {
 	return nil
 }
@@ -35,8 +47,7 @@ func (provider *MemberProviderCtx) Authenticate(username string, password string
 		return "", types.MemberProfile{}, err
 	}
 
-	// TODO: Use hash function.
-	if entry.Password != password {
+	if entry.Password != provider.hash(password) {
 		return "", types.MemberProfile{}, types.ErrMemberInvalidPassword
 	}
 
@@ -58,8 +69,7 @@ func (provider *MemberProviderCtx) Insert(username string, password string, prof
 	}
 
 	entries[id] = MemberEntry{
-		// TODO: Use hash function.
-		Password: password,
+		Password: provider.hash(password),
 		Profile:  profile,
 	}
 
@@ -94,8 +104,7 @@ func (provider *MemberProviderCtx) UpdatePassword(id string, password string) er
 		return types.ErrMemberDoesNotExist
 	}
 
-	// TODO: Use hash function.
-	entry.Password = password
+	entry.Password = provider.hash(password)
 	entries[id] = entry
 
 	return provider.serialize(entries)
diff --git a/internal/member/file/types.go b/internal/member/file/types.go
index 739e0814..5dcb42df 100644
--- a/internal/member/file/types.go
+++ b/internal/member/file/types.go
@@ -11,4 +11,5 @@ type MemberEntry struct {
 
 type Config struct {
 	Path string
+	Hash bool
 }