If someone steals your database, they won’t have all the users passwords, they’ll just have the MD5 hashes and will need to brute force them. It’s a first line of defence and keeps some of the “script kiddies” somewhat out. Atleast you need a minimal amount of technical proficiency and time to break the md5 hash.
Maybe you will notice the intrusion and have the time to warn your users to change their passwords before the attacker can break the hashes.
It also protects the users passwords from the admin – he doesn’t, and shouldn’t know all the users passwords.
It’s not important in every web application, but if you are developing a larger site it’s really mandatory if you want to appear serious.
Yes you can break an MD5 hash by brute forceing it, but it takes a long time
(depending on the password length).
The hash works like this: “banana” => “2/(s/SA5)=hd))=/”#”. If the attacker gets access to the database he will have the hash: “2/(s/SA5)=hd))=/”#”, but he won’t know what password has generated it, as the hashing function is “one way”. The only way to find out what password has generated “2/(s/SA5)=hd))=/”#” is to start trying different passwords and see what they hash to. The longer and more complicated the password is, the longer this process will take.
The best thing to do is to make sure your website saves the passwords in hashed form (it’s really not that much extra work, all web frameworks and languages come with these functions included), and to enforce a password policy that forces users to choose sufficiently advanced passwords.