I have a database with a couple of hundred user passwords in it.They are all hashed with md5. If an attacker gets the passwords in this form are they secured enough? How long will it take him to decode them all? Is there any good way to slow him down?
md5 has some flaws but for the most part it has the potential to be very secure after you apply a salt. When a user registers I like to get a unix timestamp (something I need anyways since I always seem to find a need to log the time a user was created) and then multiply it by a random decimal amount. Usually I'll do a random() on a 12 digit number and then do timestamp*0.<random_result>. Then I take this value and append to the password before running md5(). So if a user's password was 'secure', they registered on 1281670743, and my rng resulted in 0.847265967923 we would get 1085916002.626485576789. So their new password is now secure1085916002.626485576789 , and after you md5() it THAT is the password you store in the database.
Everything can be broken with bruteforce. The question here is: How long? If your password is "abcdef", it will be broken within seconds. However, if your password is something like "isMd5SEcUR3eN0uGh??", it is impossible to break it in a lifetime with the current hardware speed.