Too fast, it still allows dictionary attacks rather easily (yes I know that
users should choose good passwords, but some won't).
md5^500 (500 rounds of md5), or however many takes about 0.5 seconds on a fast
The hashing should be computationally adjusted and should be adjusted
on each box to be barely tolerable. There should also be a salt
value of course. An attacker shouldnt be allowed to precompute
md5^(big num) and later do the (actual num - big num) md5's for
your particular system.