Encryption within a database is probably something I should do, but I don't for the simple reason that any client application that queries the data must (by definition) be able to decrypt the data. For most of my work, any attack vector would come from the client, so encryption is pointless.
So, the only reason to encrypt a database is to protect it from other forms of access. For example, someone stealing the hard drive, or a backup of the database. Encryption maybe makes sense if the database is on a laptop. But, and this is a big but, the laptop will no doubt have a client installed on it which can read the data. So is anything really achieved???
Other measures, such as not storing plain-text passwords, is far more worthwhile in my book.
I'm willing to admit that I am no expert in this area - so if anyone can put forward an argument for using encryption, I'm listening....