Dissonance your prefectly right, MD5 is a decent way of encrypting information, and its pretty tough to crack as well. But what sucks is that if someone ever does get your database, they could just run a script with md5decrypt to get all the peoples passwords. But encoding your passwords with function, you ensure that your functions are the only ones that can decypt the text, and the even if they had the functions, they would need the master key as well.