FFS, stop making cryptographic recommendations to others when you don't have expertise in this area.
Cryptographers nowadays are recommending PKBDF2 (essentially iterated hashing with the hash algorithm of your choice) with at least 100,000 rounds. And it's considered to by far the weakest of "modern" password hashing approaches, behind bcrypt, scrypt, and Argon2 (in that order).
Your double-MD5 is garbage, and nobody is going to bother wasting their time breaking it because it's a bullshit challenge. If you used a strong, unique password, you've missed the point, because users in the real world don't. If you used a weak password, we have a few billion points of empirical data that contradict you, so why bother installing hashcat and mucking about with password cracking rules when anyone paying attention for the past ten years knows what the outcome is going to be?
MD5 is broken for passwords because it is too fast. Sure, if you use PBKDF2-MD5 with a random salt and 100k iterations you're going to be fine but that's not what anyone in this thread, including you, has been talking about.
You started off saying MD5 is fine, then backed off to saying it's fine with a salt, then fine with two rounds, then suggested 1,000 is okay, now we're at 100,000. At what point do you stop making excuses and acknowledge that your original advice was garbage, and backpedaling repeatedly is not helping your case?
Further, it is impossible to categorically prevent weak passwords. You can impose length restrictions. You can disallow common passwords. You can require special characters. But people's ability to come up with weak, pattern-based passwords fundamentally outperforms our ability to stop them, and at some point restrictions become so burdensome that people stop signing up for your app altogether.
"Just block weak passwords" is ridiculous on its face and you either know it and are arguing simply to save face, or you don't know it and are infuriatingly overconfident for your level of incompetence. I'm past the point of caring which.
Cryptographers nowadays are recommending PKBDF2 (essentially iterated hashing with the hash algorithm of your choice) with at least 100,000 rounds. And it's considered to by far the weakest of "modern" password hashing approaches, behind bcrypt, scrypt, and Argon2 (in that order).
Your double-MD5 is garbage, and nobody is going to bother wasting their time breaking it because it's a bullshit challenge. If you used a strong, unique password, you've missed the point, because users in the real world don't. If you used a weak password, we have a few billion points of empirical data that contradict you, so why bother installing hashcat and mucking about with password cracking rules when anyone paying attention for the past ten years knows what the outcome is going to be?