>There are plenty of publicly leaked hash tables running MD5 and the like.
Not related to stackoverflow though.
>You need a reused password from a weak one.
If the weak password is already public, what is gained by finding out that it's a weak password in a strong DB? You've just described a dictionary attack.
I can see from the downvotes the very idea that it is in regular use as triggering for some folks—-but md5 and other weak hashing algos are not just in obscure anime forums but in systems everywhere.
“They don’t like to think it be like it is, but it do.”
And it isn’t about md5 hash rate it’s about the ease of cracking in general due to low cost of compute.
If the SO password hash has leaked even in bcrypt its going to be attacked and many strong passwords will be broken. If they are reused elsewhere, important email addresses will be attempted elsewhere.
Nobody here disagrees with this premise. I just disagree that "low cost of compute" changes the fact that functions like Argon2 can be tuned to become more expensive to crack based on changes in computation cost. If you're worried about someone spinning up something on AWS to crack hashes, bump up the memory and CPU hardness and now they'll have to spend much more money to crack your passwords. In addition, the design of most modern password hashing functions is such that you get poor parallelism on GPUs.
Also you do not need the hash table of a hardened system to get useful passwords. You need a reused password from a weak one.
[1] https://hashes.org/leaks.php