@Groaner said in Compromising MD5/SHA1 hashed passwords:
If your app user can only call stored procedures and select from views, then you have a point. Also, last I heard, stored procedures are so 1990's and the new fad is to use an ORM which requires write access to each of the tables anyway.
You're assuming that the attacker has live network access to the DB as opposed to, e.g., a stolen backup tape or some other data dump.