>>51here's a thing: preimage resistance doesn't mean much in the context in which MD5 was used. if you have a database full of MD5'd passwords, just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts (it wouldn't be if people used truly random and unique passwords, but this isn't realistic unless everyone uses a password manager). that's why we use dedicated password hashing algorithms.
the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions. it was even exploited in the wild by the Flame malware:
https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf tl;dr not having known preimage attacks doesn't make it suitable for cryptographic uses