diff --git a/src/app/api/admin/users/route.ts b/src/app/api/admin/users/route.ts
index 109f9d9..8612c4f 100644
--- a/src/app/api/admin/users/route.ts
+++ b/src/app/api/admin/users/route.ts
@@ -1,6 +1,7 @@
 import { NextResponse } from "next/server";
 import { requireAdmin } from "@/lib/admin-auth";
 import { sql } from "@/db";
+import bcrypt from "bcryptjs";
 
 // GET all users
 export async function GET(request: Request) {
@@ -100,19 +101,8 @@ export async function PATCH(request: Request) {
       return NextResponse.json({ error: "userId required" }, { status: 400 });
     }
 
-    // Simple hash function
-    function hashPassword(pwd: string): string {
-      let hash = 0;
-      for (let i = 0; i < pwd.length; i++) {
-        const char = pwd.charCodeAt(i);
-        hash = ((hash << 5) - hash) + char;
-        hash = hash & hash;
-      }
-      return "hash_" + hash.toString(16);
-    }
-
     if (password) {
-      const passwordHash = hashPassword(password);
+      const passwordHash = await bcrypt.hash(password, 12);
       await sql`
         UPDATE users SET password_hash = ${passwordHash}, password_updated_at = NOW(), updated_at = NOW()
         WHERE id = ${userId}