Yep. I find it fascinating why plain unsalted md5 hashes are as common as they are. Developers go through the trouble of hashing, but don't go the single necessary step further.

Salted md5 is still surely laughably weak in an age of GPU cracking?

Sure. I guess there's not a whole lot of excuses to avoid bcrypt these days.

Bozo's idea was to show that unsalted MD5 is, for most passwords, as bad as no encryption at all. An attack doesn't get much easier than a lookup table.