cake’s auth component has a password method. this is called to hash all passwords before its made avail to the app controller.
When integrating with a legacy database that uses md5, simply return md5($password) here instead of calling Security::hash()