LeakedSource has analyzed a large breach of Last.fm that occurred in 2012, compromising over 43.5 million accounts, and the results are astonishing:
Passwords were stored using unsalted MD5 hashing. This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords, a sizeable increase from prior mega breaches made possible because we have significantly invested in our password cracking capabilities for the benefit of our users.
While an unsalted MD5 hash is clearly inadequate security for pretty much anything, I think that this is more of a confirmation of how generally terrible our passwords are. Look at the top ten from this leak: “123456”, “password”, “lastfm”, “123456789”, “qwerty”, “abc123”, “abcdefg”, “12345”, “1234”, and “music”.