Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.

Salting before doing anything else is basic password security. I assume the webpage in question doesn’t do that, either.