There's two ways to use $md5 for security
1) for storing passwords, say you have userA with password passA. You would then not save passA on your HD, but 863ca25f827367a6d16d24dd09e92171 ($md5(passA)) instead.
If userA logs in, he gives the pass, the script then does $md5 on the input, and compares it with the stored value.
This way, if someone can read the password list they will only see 863ca25f827367a6d16d24dd09e92171, so they won't know the password of the user.
2) for sending passwords over a insecure connection. The password is saved on the HD as it is (%storedpass = userA). When userA connects, he gets a string (%string = 12345) that hasn't been used before (like $ctime for example). The user then does $md5(%string $+ %pass) and sends the result($md5(12345passA) = 05adda954c1918730f37b9e4aa62c17b) to the server. The server compares that with $md5(%string $+ %storedpass) (05adda954c1918730f37b9e4aa62c17b) to verify the pass. If someone is listening in on the connection, he can't retreive the password of userA, because he only knows what $md5(%string $+ %pass) is. This is of no use, since %string is changed every time, so it can't be used to login again. The only way to get the correct $md5(%string $+ %pass) is to know %pass.
I think you are only interested in 1), since you want to make stored passwords unreadable. (Note that someone could still alter the file with passwords so the saved value matches with whatever he wants)
