Comment Re:not md5, bcrypt (Score 1) 259
Hi,
Well, the choice of algorithm is important. MD5 is a bad choice.
And yes you're right, if the password is weak, and the website provides no protection against brute force attacks over HTTP, then it remains a weak password. And resetting the password is a problem which has been mostly solved, you send the person a token by email or sms to their pre-validated account, with which they can create a new password.
Cheers