diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb
index ba6263dbc..05c2ffdc7 100644
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -42,7 +42,7 @@ class SessionLoader
   end
 
   def has_api_authentication?
-    request.authorization.present? || params[:login].present? || params[:api_key].present? || params[:password_hash].present?
+    request.authorization.present? || params[:login].present? || params[:api_key].present?
   end
 
   private
@@ -57,8 +57,6 @@ class SessionLoader
       authenticate_basic_auth
     elsif params[:login].present? && params[:api_key].present?
       authenticate_api_key(params[:login], params[:api_key])
-    elsif params[:login].present? && params[:password_hash].present?
-      authenticate_legacy_api_key(params[:login], params[:password_hash])
     end
   end
 
@@ -74,14 +72,6 @@ class SessionLoader
     raise AuthenticationFailure unless Currentuser.user.present?
   end
 
-  def authenticate_legacy_api_key(name, password_hash)
-    CurrentUser.user = User.authenticate_hash(name, password_hash)
-
-    if CurrentUser.user.nil?
-      raise AuthenticationFailure.new
-    end
-  end
-
   def load_param_user(signed_user_id)
     session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
     load_session_user
diff --git a/app/models/user.rb b/app/models/user.rb
index d3036424b..33fc89c75 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -181,17 +181,6 @@ class User < ApplicationRecord
     def hash_password(password)
       Digest::SHA1.hexdigest("choujin-steiner--#{password}--")
     end
-
-    module ClassMethods
-      def authenticate_hash(name, hash)
-        user = find_by_name(name)
-        if user && user.bcrypt_password == hash
-          user
-        else
-          nil
-        end
-      end
-    end
   end
 
   module LevelMethods
diff --git a/test/functional/application_controller_test.rb b/test/functional/application_controller_test.rb
index 11bc571fc..62685f78f 100644
--- a/test/functional/application_controller_test.rb
+++ b/test/functional/application_controller_test.rb
@@ -95,31 +95,6 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
         end
       end
 
-      context "using the password_hash parameter" do
-        should "succeed for password matches" do
-          get edit_user_path(@user), params: { login: @user.name, password_hash: User.sha1("password") }
-          assert_response :success
-        end
-
-        should "fail for password mismatches" do
-          get profile_path, as: :json, params: { login: @user.name }
-          assert_response 401
-
-          get profile_path, as: :json, params: { password_hash: User.sha1("password") }
-          assert_response 401
-
-          get profile_path, as: :json, params: { login: @user.name, password_hash: "bad" }
-          assert_response 401
-        end
-
-        should "succeed for non-GET requests without a CSRF token" do
-          assert_changes -> { @user.reload.enable_safe_mode }, from: false, to: true do
-            put user_path(@user), params: { login: @user.name, password_hash: User.sha1("password"), user: { enable_safe_mode: "true" } }, as: :json
-            assert_response :success
-          end
-        end
-      end
-
       context "with cookie-based authentication" do
         should "not allow non-GET requests without a CSRF token" do
           # get the csrf token from the login page so we can login