@sophieschmieg @neilmadden

IMO we need to stop coming up with algorithms to securely store "derivatives" of typically weak passwords, as

IT WILL FAIL.

From https://www.akkadia.org/drepper/SHA-crypt.txt:
❝
In addition, the produced output for [...] MD5 has a short length which makes it possible to construct rainbow tables.
❞

Please correct me if I'm wrong, but even in 2025 suggesting that a rainbow table is feasible for (lets cut a few bits for MD5 weaknesses) random numbers of 120 bits in length is BS (in order to create FUD).

If I'm right about that, the least bad thing to do is:

1) Everyone should use a password manager (pwmgr) because people simply do not have the ability to come up with a sufficiently strong password that is *unique for each account*, let alone for multiple accounts (sometimes hundreds), to remember them absolutely error-free, and to recall which password was chosen for which account.

Note: IMO password *reuse* currently is the biggest threat. Entering a reused password on a fake (phishing) website may have devastating consequences, because (when a password is reused for multiple accounts) chances are that ALL those accounts are compromised. Note that the complexity and uniqueness of the password are IRELLEVANT. And, what KDF is used on the server, is IRRELEVANT as well.

2) Let the pwngr generate a (cryptographically) random password, as long and with as much entropy as allowed by the server.

3) Use a strong master password and NEVER forget it (typical beginner failure).

4) Make sure the database is backed up in more than one place, and make a backup after each modification.

5) Make sure that the device the password mamager is used on, *never* gets compromised.

6) Double check that https:// is used. Better, make sure to use a browser that blocks http:// connections and warns you (Safari on iOS/iPadOS now supports "Not Secure Connection Warning"). In all browsers such a setting is OFF by default: ENABLE IT!

7) On a mobile device: use "Autofill". The OS then transfers the domain name (shown in the browser's address bar) to the pwmgr. If a matching domain name is *not found* in the pw database, assume that you're on a (fake) phishing website! In that case: DO NOT ATTEMPT TO LOG IN by looking up credentials yourself. Reasons for 7, two examples:
----
fake: circle-ci·com
real: circleci.com
----
fake: lîdl.be
real: lidl.be
----

If people would follow this advice (which is not just mine), even MD5 for storing a one-way derivative of the password on the server would be fine.

HOWEVER: don't use MD5 - because "never use MD5 for whatever" is easier to remember than "don't use MD5 if preimage attacks are possible".

P.S. I'm not a cryptographer (although I'm quite interested in the matter).