[myrion]

That's if hashed by md5, which really shouldn't be the case anymore. SHA-1 isn't much better, aiui, but would still be a more reasonable reference today - at least as far as I can see.

I wish it were scrypt, PBKDF2 or argon2id - but I realize those are still rare.

[gray_charger]

PBKDF2 should only be used if compliance with government requirements is a concern. While it can be adjusted to be arbitrarily difficult by changing the iterations it's still not memory intensive and can still be fairly easily cracked with a GPU (when compared to scrypt or argon2id).

[brokenmachine]

Wonder how many sites are still using md5...

[cornylisti]

md5 was never supposed to even be used for passwords, it was designed to produce really fast checksums for files, a very bad property for a password hashing algorithm

[brokenmachine]

Sure.

I wonder how many sites are still using md5...