It is 2012 and Moodle is stil using md5 as a hashing algorithm. Even though salt support is added it is now time to follow the latest trends and upgrade this to use followoing scheme:

• Every password has it's own salt
• Use CRYPT_BLOWFISH for hashing passwords

This would imply following changes:

• Update validate_internal_user_password to use new hash check
• Update hash_internal_user_password to use new hash method
• Expand password field in user table to 64 characters since Blowfish produces hash merged with the individual salt.

With these changes any potential rainbow attak would be seriously crippled, at least for the time being.