Add warning

Author: quinntracy

content/en/docs/refguide/modeling/app-explorer/app/app-settings/_index.md

@@ -150,6 +150,12 @@ The **Hash algorithm** is used to generate hash values for attributes of the has
 | **BCrypt** (default, recommended) | Resistant to brute-force search attacks. |
 | **SSHA256** | Salted Secure Hash Algorithm 2, digest length 256 bits. |
 
+{{% alert color="warning" %}}
+
+MD5 and SHA256 are only provided for backwards compatibility. They should never be used due to known vulnerabilities. 
+
+{{% /alert %}}
+
 Mendix believes both algorithms are secure enough to store passwords within Mendix. The main difference between **BCrypt** and **SSHA256** is that the BCrypt algorithm has been configured so it is relatively slow on purpose, since it was designed specifically to stop brute force attacks. That is why this results in a slight performance difference with the SSHA256 algorithm.
 
 #### BCrypt Cost {#bcrypt-cost}