From the article:
For example, in 1996 researchers reported the first weaknesses in md5, a type of widely used cryptographic algorithm called a hash function. A drop-in replacement was readily available in the form of another algorithm called sha-1. After more than two decades of exhortations to upgrade, though—not to mention high-profile cyber-attacks exploiting md5’s weaknesses—the older algorithm is often still used.
I would point out that a default configuration of Microsoft Active Directory uses an un-salted MD5 hash of the passwords. So if a domain is using such an AD configuration, and a hacker is able to capture a log in sequence, the hash of the password is transmitted. The hacker can then OFFLINE crack that password.
I have built a custom cracking rig for my company and we offer a service called PASS that tests the strength of passwords. To give you and idea of the performance, against a target set of 2,000 accounts in the AD, we tested 2.1 billion passwords that we scraped from the darkweb in less than 5 minutes. When testing our client’s AD accounts, we normally have a success rate of 20 to 25% for guessing passwords.
You may want to consider replacing AD with OpenLDAP and used the crypt or salted SHA hash to protect passwords. However, be aware that migrating from AD to OpenLDAP is a significant project.
How do you brute-force a password if the software includes a "three strikes and you're out" feature?
How truly safe is a password if the system dictator administrator requires it to be so long and convoluted (must have capital, must have special character, must be 10 digits, must be changed monthly, must not be similar to the previous 10 passwords, etc.,) that the user must write it down on a Post-it stuck to their monitor?