[eluser]Chad Fulton[/eluser]
Rick Jolly is correct, depending upon what you're worried about.
Calculating the md5 hash of 1 million passwords takes negligible time (on my computer it was much less than 30 seconds). So, if an attacker had your database and wanted to just retrieve the passwords of as many people as possible, without caring in particular which they got, it would be pretty simple for them to do (because surely some subset of your users will have passwords from the 1 million common passwords they care about). However, it would be hit and miss, and they couldn't necessarily count on getting a specific user's password back.
If an attacker wanted to get a specific user's password back, they could first try their 1 million common passwords, but after that they'd have to run a more traditional dictionary attack, which would involve checking all permutations of the alphanumeric characters (a-zA-Z0-9). There are 62 characters in that set, so, if they wanted to check all potential permutations of them up to a password length of, say, 10 characters, then there would be 397,665,154,560,843,844 possibilities which, assuming linear time in calculating the md5s, could take years to find the real password.
Please don't get freaked out about this. Likely for any project you're working on, salting and hashing the passwords will prevent casual attempts at getting people's passwords. Unless you have the resources and responsibility of a bank or similar institution, you not going to have the resources to prevent attacks, but you also won't have persistant hackers attempting to get your data.
(As a side note, even salting and hashing is better than what some high-profile bank/credit card processors who were hacked had done, so if you're hashing and salting, you're doing enough).
