You don't always have access to the hardware, no matter which way you look at it.

The only way you've got 'access to the hardware' on the internet is if the server is incredibly careless and somehow tolerates a DDoS attack trying to brute force a password for ages whilst nobody notices. Possible, maybe, but not very likely to happen outside of some super careless company. Or to be more precise, not as likely as it once was.

I can certainly agree that there's other ways to compromise a user account on the internet, but those usually depend on relatively elementary errors these days (bad XSS protection, SQL injection...). They certainly *happen* but it's not the same giant pile of chaos it used to be. Actual hardware access comes with other exploits you can't really do without physical access to the machine, but I understand your point. There's definitely an awful lot of very insecure websites out there, even big ones.

What you're using to do the hashing isn't really going to matter *that* much I would think, at least not in theory - the hashing algorithm and the password length will be much bigger factors. (Also yes, MD5 is terrible for passwords, it's amazing and disturbing to think a whole bunch of legacy code still uses this stuff). Still, in practice with the average password, it's going to make a bigger difference.