MD5 is, for all intents and purposes, secure for the application. You don't have to use md5, you can use sha1() if you want. It won't be easy to transition to a more secure setup because all previous members passwords would require to be reset as MD5 is hashed.