It’s happened many times in my career, including as recent as circa late 2016. I encounter a fairly new codebase that is actively using MD5 for some purpose. When I inquire about the choice of MD5, I hear a well-meaning software engineer say:
We chose MD5 for data integrity because it’s the fastest.
Not only is MD5 insecure for such security usages, but even the legacy notion of it being the fastest hashing algorithm is suspect given how the latest CPUs include feature sets which, when combined with newer 64-bit algorithm designs, simply challenge everything we once knew about crypto performance on particular systems.
In fact, it’s become unintuitive to really say what’s the optimal choice for certain systems. Crypto performance has varying characteristics and tradeoffs depending upon whether we are talking about a 64-bit x86 Xeon server, a 32-bit ARM mobile device, or an 8-bit microcontroller. On some systems, SHA-512 can outperform MD5 and SHA1; on other systems, that’s not the case.
So how do we know what those tradeoffs are? If we have to pick single target algorithm to support a diverse ecosystem of device types (think: a service used by desktops + mobile + IoT), what’s the right balanced choice that gives us the best available security with reasonable performance by the meekest device in the ecosystem?