I’m not sure exactly who and how many companies need to hear this, but if you are responsible for hosting the user login database for any school’s “parent portal” (or similar), you need to double check your shit...

...because there is a problematic element that people are not taking seriously enough- Parents often have jobs. Parents are human. By now, we all understand that a shockingly large amount of people have a habit of re-using identical passwords among different systems.

So, here’s the not good very bad terrible nightmare scenario that is already very possible:

BadGuyHaxxer1 can:
1. Compromise one of the many school/student/kid-web-monitoring platform backend servers (of which there are many)
2. Identify the wealthy private school clients.

...
3. Export the inevitable “Parent Login Portal” table tied to those identified targets.
4. ctrl+f the email address column for “.gov”, “law”, “firm”, “.mil”, “cpa”, “fund”, etc.
5. use the password column to attempt a log in at the corresponding parents’ employers’ portals.

That’s how too many things like (random example) cdc[.]gov leakages end up happening.

Kids have parents. Parents are human. Parents have jobs.
When you force those parents to create yet another log in account, some percent will simply reuse the one they already remember.

And then nobody thinks it’s a critically bad situation because “oh, that’s just the silly homework portal for their kid’s school. It’s no big deal.”

Well, in reality it is a very big deal if a busy lawyer-mom doesn’t have spare mental space for yet another password to remember.

I am certain that, in this hypothetical example, all of her firm’s dozens of tax accountant and hedge fund clients care.

so... if you still think md5 hashes are “good enough” because you’re just operating some silly school student report card service, think harder about it.